purecrypter | 7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

General

Target

tmp.exe
Size

1.2MB
MD5

b27e75867100b7f34b35cf147b7ce92e
SHA1

e1b51e321d8a5595cc0382198a6ab34c98924194
SHA256

7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e
SHA512

b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773
SSDEEP

24576:H1qOg/vTimfbpDY0aV9+rOL54vwe7r9MCdoavl30Og:zgHGmfbp+V9fqvwe7r9MOl

Score

10^/10

purecrypter redline tpb downloader infostealer loader spyware

Malware Config

Extracted

Family

redline

Botnet

TPB

C2

amrican-sport-live-stream.cc:4581

Attributes

auth_value
9af3f668d2aa93965a3f83753e8ccb3f

Signatures

Detect PureCrypter injector 33 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3488-134-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-135-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-137-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-140-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-142-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-144-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-146-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-148-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-150-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-152-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-154-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-156-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-158-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-160-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-162-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-164-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-166-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-168-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-170-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-172-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-174-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-176-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-178-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-180-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-182-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-184-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-186-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-188-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-190-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-192-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-194-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-196-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-198-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3488 set thread context of 976 3488 tmp.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

InstallUtil.exe

pid process

976 InstallUtil.exe
976 InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 3488 tmp.exe
Token: SeDebugPrivilege 976 InstallUtil.exe

description	pid	process	target process
PID 3488 set thread context of 976	3488	tmp.exe	InstallUtil.exe

pid	process
976	InstallUtil.exe
976	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3488	tmp.exe
Token: SeDebugPrivilege	976	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe
PID 3488 wrote to memory of 976	3488	tmp.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-10226-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/976-10227-0x000000000A700000-0x000000000AD18000-memory.dmp

Filesize
6.1MB

Download
memory/976-10228-0x000000000A250000-0x000000000A35A000-memory.dmp

Filesize
1.0MB

Download
memory/976-10229-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/976-10230-0x000000000A180000-0x000000000A192000-memory.dmp

Filesize
72KB

Download
memory/976-10236-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/976-10235-0x000000000CFD0000-0x000000000D4FC000-memory.dmp

Filesize
5.2MB

Download
memory/976-10234-0x000000000C8D0000-0x000000000CA92000-memory.dmp

Filesize
1.8MB

Download
memory/976-10233-0x000000000B270000-0x000000000B2C0000-memory.dmp

Filesize
320KB

Download
memory/976-10232-0x000000000B1F0000-0x000000000B266000-memory.dmp

Filesize
472KB

Download
memory/976-10231-0x000000000A1E0000-0x000000000A21C000-memory.dmp

Filesize
240KB

Download
memory/3488-168-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-180-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-146-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-148-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-150-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-152-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-154-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-156-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-158-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-160-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-162-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-164-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-166-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-142-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-170-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-172-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-174-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-176-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-178-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-144-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-182-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-184-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-186-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-188-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-190-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-192-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-194-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-196-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-198-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-139-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3488-140-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-137-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-135-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-134-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-133-0x0000000000030000-0x0000000000172000-memory.dmp

Filesize
1.3MB

Download
memory/3488-795-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3488-10220-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/3488-10221-0x0000000036190000-0x00000000361F6000-memory.dmp

Filesize
408KB

Download
memory/3488-10222-0x00000000363A0000-0x0000000036432000-memory.dmp

Filesize
584KB

Download
memory/3488-10223-0x00000000369F0000-0x0000000036F94000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing