purecrypter

General

Target

setup (1).zip
Size

201.8MB
Sample

230221-jsvhlsea82
MD5

0a504a456d852134006e317fa4b2b58c
SHA1

9523798d294aabf86f64db732a4314b04c1a0265
SHA256

c5f1dfbf8d4b1d8d5c43f668292056d5b670fea174e6e79d3cc2ba341d66a21f
SHA512

d46c71ca8eda42ae6eff316da7bc9aec6e14002dd2e7e400131b40e231949876c4f525ff5281d1fa8c956e4fe905c9b4fe3c45641a858a85246ed2a772896a29
SSDEEP

3145728:atfMyBMh3TS7IAMPwPhEjdtewveo6tfMyBMh3TS7IAMPwPhEjdtewveoCFW0sRlk:XZhlqEJ8wvH3ZhlqEJ8wvHMW5Rl5Y7

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

https://speedysecurity.com.br/images/css/waves/bo/Upjcuf.bmp

Extracted

Family

redline

Botnet

@fjiif563

C2

45.15.157.131:36457

Attributes

auth_value
ef361597d90539bf547a8edad2ebafde

Targets

- Target
  
  data/vulkan-1.dll
- Size
  
  894KB
- MD5
  
  4b29603d5f208f805a5227fa1d6713cc
- SHA1
  
  ef7c6478e26dd2c2f4fc4ecce0b7d710a9023f09
- SHA256
  
  998280e73d8a5d62a25d335b291363d15f3746492ac3d5f4479549f9442c6b9e
- SHA512
  
  f863571fd13aea9bbdd0d96ed671a6cd11f28a3a9677357317b6afc0c8990c23176c1ce68a645057cb2dc09d2fc5d93963b7578ae50aa3636d049b5a68584d31
- SSDEEP
  
  12288:UQgtdWVrC+8eiZB25pL82ZWdAKT0Yo5KE1so3AJLLP:U1dWtNbBZWz6t1svtT
Score

3^/10
behavioral1 behavioral2
- Target
  
  setup.exe
- Size
  
  565.8MB
- MD5
  
  b34cf82d7d10a1c8421ef3fe65e4de46
- SHA1
  
  574c8dd9986952916786b03c0261230a933f3e9d
- SHA256
  
  7e73c496079d96e4ccec427679b791518f25aaca20585a5d54f632064ff880ae
- SHA512
  
  69fb1cb2e37c7b3321ff898aac936233521026834c07b92a7c8fa7885a363f5b2a6d6d455309435802f70827bc7ecb955ed9e4c7a8fdbcde212bc479748647ed
- SSDEEP
  
  1536:8rae78zjORCDGwfdCSog01313fs5gG8m:kahKyd2n31E5d
Score

10^/10

purecrypter downloader loader persistence redline @fjiif563 infostealer
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect PureCrypter injector

RedLine

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4