purecrypter | ebb2dcf0d743e210a391d665b4589e3a0e41189ed1b21fcacc8c14caf13b1ce6

Analysis

max time kernel
139s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-05-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.3MB
MD5

86221cbb7f0dd696acfc913ad055f1e9
SHA1

52aceb9f15f0ebceef27b378e06e42613739b481
SHA256

ebb2dcf0d743e210a391d665b4589e3a0e41189ed1b21fcacc8c14caf13b1ce6
SHA512

cdeb09240ef04ac7d5b50cd03f7479e8fa40407a34d41c780350acbaeaf4d18dc9381a4cb276ca700595a3d6a5c0abb4fa987f22bfc220d39dc4c91312c8e6d9
SSDEEP

24576:g+JA0Sg9WLT0Fo2/JJTBQ0g1A9K9rjF/lQkBNnWZrXBkUGlcUDSg1fcjzajdg8MC:XJJ92wZXgu49rjF/+kBNmxZG5DSg10j/

Score

10^/10

purecrypter redline torrentold downloader infostealer loader spyware

Malware Config

Extracted

Family

redline

Botnet

TORRENTOLD

amrican-sport-live-stream.cc:4581

Attributes

auth_value
74e1b58bf920611f04c0e3919954fe05

Signatures

Detect PureCrypter injector 34 IoCs

loader

resource	yara_rule
behavioral1/memory/2044-55-0x0000000004EE0000-0x000000000515C000-memory.dmp	family_purecrypter
behavioral1/memory/2044-56-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-57-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-63-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-61-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-59-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-68-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-65-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-70-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-74-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-72-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-78-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-76-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-84-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-86-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-82-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-80-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-90-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-88-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-94-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-92-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-96-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-98-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-100-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-102-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-106-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-104-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-110-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-108-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-112-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-118-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-116-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-114-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter
behavioral1/memory/2044-120-0x0000000004EE0000-0x0000000005156000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 268	2044	tmp.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	tmp.exe
268	InstallUtil.exe
268	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	tmp.exe
Token: SeDebugPrivilege	268	InstallUtil.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 520	2044	tmp.exe	29
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30
PID 2044 wrote to memory of 268	2044	tmp.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-10185-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/268-10187-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download
memory/268-10186-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2044-88-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-56-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-61-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-59-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-66-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/2044-68-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-65-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-70-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-94-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-72-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-78-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-76-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-84-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-86-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-82-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-80-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-90-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-54-0x0000000000A10000-0x0000000000B58000-memory.dmp

Filesize
1.3MB

Download
memory/2044-74-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-63-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-104-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-98-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-100-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-102-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-106-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-96-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-110-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-108-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-112-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-118-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-116-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-114-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-120-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-1031-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/2044-10174-0x00000000024F0000-0x0000000002550000-memory.dmp

Filesize
384KB

Download
memory/2044-57-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-92-0x0000000004EE0000-0x0000000005156000-memory.dmp

Filesize
2.5MB

Download
memory/2044-55-0x0000000004EE0000-0x000000000515C000-memory.dmp

Filesize
2.5MB

Download