purecrypter | 125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a

General

Target

travelpeov.exe
Size

193.2MB
MD5

2928f4a10f1a824d26f56052accd9926
SHA1

93af9c82a7dedef40f3ab1b1a6a414210d90c192
SHA256

125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a
SHA512

4bd74f377bbd9ab41dd5fe0448a2d77e062a795b6e30a5961e2b62c70d5f1c35a470fe9a7cdbc313f40f8fbda086935e02677ba05213689bcec3b58eef5ea3e2
SSDEEP

96:eSwqiJBpnpML3uibpR3KbofKkor74BzNt:eBpnsLRPwof3oXu

Score

10^/10

purecrypter redline @gestaslinoff discovery downloader infostealer loader spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

https://www.franceconsobanque.fr/wp-admin/images/css/design/fabric/bo/Sjbgpxzi.bmp

Extracted

Family

redline

Botnet

@gestaslinoff

C2

45.15.157.131:36457

Attributes

auth_value
95adc00b732fc138a3ecc231c485a57a

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	travelpeov.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{605DB2CF-6953-4F9B-B22C-706C1575E847}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{99898C9E-8264-4A1E-BD0D-D2D599310FA4}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 2424	2304	travelpeov.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4916	powershell.exe
4916	powershell.exe
2392	powershell.exe
2392	powershell.exe
2424	travelpeov.exe
2424	travelpeov.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	travelpeov.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2424	travelpeov.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4916	2304	travelpeov.exe	81
PID 2304 wrote to memory of 4916	2304	travelpeov.exe	81
PID 2304 wrote to memory of 4916	2304	travelpeov.exe	81
PID 2304 wrote to memory of 3176	2304	travelpeov.exe	93
PID 2304 wrote to memory of 3176	2304	travelpeov.exe	93
PID 2304 wrote to memory of 3176	2304	travelpeov.exe	93
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 2304 wrote to memory of 2424	2304	travelpeov.exe	95
PID 3176 wrote to memory of 2392	3176	cmd.exe	96
PID 3176 wrote to memory of 2392	3176	cmd.exe	96
PID 3176 wrote to memory of 2392	3176	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
  C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\travelpeov.exe.log

Filesize
1KB

MD5
fa566c9cc0cdfc2479d186ed2a7d2078

SHA1
a4f5bc2d5d055a766b19f095f0a670eeda57c24b

SHA256
bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960

SHA512
ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
39812f7d90b8e4b5d8fa283b41fa1c89

SHA1
aa98334485aa60383d4b2c5ffc855c9c2f278c72

SHA256
40a50ef41177e3d0f9c111dbf01a410813f08315865f786200e6665b3668a2cc

SHA512
ad6843582af654eda5ea3b6f58d2b7b6a9dd545b4037eeebebd846cbf3ffef2d289094f55ce9094b16561927c0ab19eaf4dd6d0ddfcc8215091145321f8dd4ed

Download Submit
memory/2304-133-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/2304-134-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/2304-135-0x0000000007420000-0x0000000007442000-memory.dmp

Filesize
136KB

Download
memory/2304-132-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/2392-156-0x000000006E160000-0x000000006E1AC000-memory.dmp

Filesize
304KB

Download
memory/2392-159-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/2392-162-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/2392-161-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/2392-160-0x0000000006080000-0x000000000608E000-memory.dmp

Filesize
56KB

Download
memory/2392-158-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/2392-157-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/2392-155-0x00000000071B0000-0x00000000071E2000-memory.dmp

Filesize
200KB

Download
memory/2424-146-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2424-153-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2424-164-0x0000000006F90000-0x00000000074BC000-memory.dmp

Filesize
5.2MB

Download
memory/2424-152-0x0000000004F80000-0x000000000508A000-memory.dmp

Filesize
1.0MB

Download
memory/2424-154-0x0000000004F10000-0x0000000004F4C000-memory.dmp

Filesize
240KB

Download
memory/2424-163-0x0000000006890000-0x0000000006A52000-memory.dmp

Filesize
1.8MB

Download
memory/2424-150-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/4916-138-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/4916-141-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/4916-137-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/4916-143-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download
memory/4916-142-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/4916-140-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4916-139-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads