purecrypter | 7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2023 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.2MB
MD5

b27e75867100b7f34b35cf147b7ce92e
SHA1

e1b51e321d8a5595cc0382198a6ab34c98924194
SHA256

7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e
SHA512

b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773
SSDEEP

24576:H1qOg/vTimfbpDY0aV9+rOL54vwe7r9MCdoavl30Og:zgHGmfbp+V9fqvwe7r9MOl

Score

10^/10

purecrypter redline tpb downloader infostealer loader spyware

Malware Config

Extracted

Family

redline

Botnet

TPB

amrican-sport-live-stream.cc:4581

Attributes

auth_value
9af3f668d2aa93965a3f83753e8ccb3f

Signatures

Detect PureCrypter injector 33 IoCs

loader

resource	yara_rule
behavioral2/memory/3488-134-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-135-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-137-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-140-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-142-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-144-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-146-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-148-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-150-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-152-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-154-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-156-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-158-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-160-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-162-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-164-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-166-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-168-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-170-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-172-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-174-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-176-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-178-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-180-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-182-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-184-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-186-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-188-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-190-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-192-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-194-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-196-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter
behavioral2/memory/3488-198-0x0000000004A60000-0x0000000004CC9000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 976	3488	tmp.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
976	InstallUtil.exe
976	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	tmp.exe
Token: SeDebugPrivilege	976	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90
PID 3488 wrote to memory of 976	3488	tmp.exe	90

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-10226-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/976-10227-0x000000000A700000-0x000000000AD18000-memory.dmp

Filesize
6.1MB

Download
memory/976-10228-0x000000000A250000-0x000000000A35A000-memory.dmp

Filesize
1.0MB

Download
memory/976-10229-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/976-10230-0x000000000A180000-0x000000000A192000-memory.dmp

Filesize
72KB

Download
memory/976-10236-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/976-10235-0x000000000CFD0000-0x000000000D4FC000-memory.dmp

Filesize
5.2MB

Download
memory/976-10234-0x000000000C8D0000-0x000000000CA92000-memory.dmp

Filesize
1.8MB

Download
memory/976-10233-0x000000000B270000-0x000000000B2C0000-memory.dmp

Filesize
320KB

Download
memory/976-10232-0x000000000B1F0000-0x000000000B266000-memory.dmp

Filesize
472KB

Download
memory/976-10231-0x000000000A1E0000-0x000000000A21C000-memory.dmp

Filesize
240KB

Download
memory/3488-168-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-180-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-146-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-148-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-150-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-152-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-154-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-156-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-158-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-160-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-162-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-164-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-166-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-142-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-170-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-172-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-174-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-176-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-178-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-144-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-182-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-184-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-186-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-188-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-190-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-192-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-194-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-196-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-198-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-139-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3488-140-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-137-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-135-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-134-0x0000000004A60000-0x0000000004CC9000-memory.dmp

Filesize
2.4MB

Download
memory/3488-133-0x0000000000030000-0x0000000000172000-memory.dmp

Filesize
1.3MB

Download
memory/3488-795-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3488-10220-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/3488-10221-0x0000000036190000-0x00000000361F6000-memory.dmp

Filesize
408KB

Download
memory/3488-10222-0x00000000363A0000-0x0000000036432000-memory.dmp

Filesize
584KB

Download
memory/3488-10223-0x00000000369F0000-0x0000000036F94000-memory.dmp

Filesize
5.6MB

Download