purecrypter | 31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2023 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d046356adc419adef4049f5ec0529fa.exe
Size

1.3MB
MD5

2d046356adc419adef4049f5ec0529fa
SHA1

59b79b81155927260c7e5c73c1505b7ff820fcd7
SHA256

31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
SHA512

118b6af39c3107785695e61b050a2d767a86f6efe42c7c2afec0f49b651ba318d7a8d783aa7c12936d2aa5a93e4d34e39944e3587dd90dbe36a719ac18e36297
SSDEEP

24576:FfEZRk+1BmMN+wkQZVhtMOb7UlyPeNks08yfcadLetM7ckAx:Ff3IcMNHRLF4yP8k+y5UYnc

Score

10^/10

purecrypter redline z2k downloader infostealer loader

Malware Config

Extracted

Family

redline

Botnet

Z2K

amrican-sport-live-stream.cc:4581

Attributes

auth_value
8a9de6d1ef98f81da5a7e46825e88077

Signatures

Detect PureCrypter injector 33 IoCs

loader

resource	yara_rule
behavioral2/memory/4492-134-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-135-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-137-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-140-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-142-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-144-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-146-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-148-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-150-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-152-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-154-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-156-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-158-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-160-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-162-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-164-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-166-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-168-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-170-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-172-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-174-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-176-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-178-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-180-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-182-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-184-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-186-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-188-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-190-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-192-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-194-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-196-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter
behavioral2/memory/4492-198-0x0000000004C40000-0x0000000004EBF000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	2d046356adc419adef4049f5ec0529fa.exe
4492	2d046356adc419adef4049f5ec0529fa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	2d046356adc419adef4049f5ec0529fa.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2688	4492	2d046356adc419adef4049f5ec0529fa.exe	84
PID 4492 wrote to memory of 2688	4492	2d046356adc419adef4049f5ec0529fa.exe	84
PID 4492 wrote to memory of 2688	4492	2d046356adc419adef4049f5ec0529fa.exe	84
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85
PID 4492 wrote to memory of 3152	4492	2d046356adc419adef4049f5ec0529fa.exe	85

C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe
"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3152-10330-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3152-10336-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3152-10335-0x000000000A530000-0x000000000A56C000-memory.dmp

Filesize
240KB

Download
memory/3152-10334-0x000000000A4D0000-0x000000000A4E2000-memory.dmp

Filesize
72KB

Download
memory/3152-10333-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

Filesize
1.0MB

Download
memory/3152-10332-0x000000000AA60000-0x000000000B078000-memory.dmp

Filesize
6.1MB

Download
memory/3152-10331-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4492-174-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-182-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-148-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-150-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-152-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-154-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-156-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-158-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-160-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-162-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-164-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-166-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-168-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-170-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-172-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-133-0x0000000000190000-0x00000000002DC000-memory.dmp

Filesize
1.3MB

Download
memory/4492-176-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-178-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-180-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-146-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-184-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-186-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-188-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-190-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-192-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-194-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-196-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-198-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-782-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4492-10324-0x0000000000850000-0x0000000000872000-memory.dmp

Filesize
136KB

Download
memory/4492-10325-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/4492-10326-0x0000000036710000-0x00000000367A2000-memory.dmp

Filesize
584KB

Download
memory/4492-10327-0x0000000036D60000-0x0000000037304000-memory.dmp

Filesize
5.6MB

Download
memory/4492-144-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-142-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-140-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-138-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4492-137-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-135-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download
memory/4492-134-0x0000000004C40000-0x0000000004EBF000-memory.dmp

Filesize
2.5MB

Download