purecrypter | ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7 | Triage

Submit
Reports

Overview

overview

Static

static

3

pack.exe

windows7-x64

pack.exe

windows10-2004-x64

Sharing

General

Target

pack.com
Size

500.1MB
Sample

230602-zdagwsed34
MD5

e893801ca83e49f84dca107d6e1162b4
SHA1

3122871288ac44693324194b793fc40347360bd4
SHA256

ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7
SHA512

94f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719
SSDEEP

384:ogPThofsksm2/HMLntRBSlwy/VpREaEhAqDjbY2QuzDf+m9xgJJt/V4568OwXpkD:tIXxOn6ZDn7d21448OKpkBC5ZF/i1

Score

10^/10

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

pack.exe

Resource

win7-20230220-en

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan

windows7-x64

15 signatures

300 seconds

Behavioral task

behavioral2

Sample

pack.exe

Resource

win10v2004-20230220-en

purecrypter quasar office04 downloader loader persistence spyware trojan

windows10-2004-x64

18 signatures

300 seconds

Malware Config

Extracted

Family

purecrypter

C2

http://95.214.24.37/SystemEnv/uploads/programme_Hdayjetq.jpg

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

45.83.122.111:5557

Mutex

p337SdjNpEb5aKmAPc

Attributes

encryption_key
JzZjeR51DHpipyQ3lm91
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Targets

- Target
  
  pack.com
- Size
  
  500.1MB
- MD5
  
  e893801ca83e49f84dca107d6e1162b4
- SHA1
  
  3122871288ac44693324194b793fc40347360bd4
- SHA256
  
  ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7
- SHA512
  
  94f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719
- SSDEEP
  
  384:ogPThofsksm2/HMLntRBSlwy/VpREaEhAqDjbY2QuzDf+m9xgJJt/V4568OwXpkD:tIXxOn6ZDn7d21448OKpkBC5ZF/i1
Score

10^/10

purecrypter quasar revengerat office04 downloader loader persistence spyware trojan
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

purecrypterquasarrevengeratoffice04downloaderloaderpersistencespywaretrojan

behavioral2

purecrypterquasaroffice04downloaderloaderpersistencespywaretrojan

© 2018-2024

Terms | Privacy