purecrypter | b828fabbbc217d50542d19c8f8fb2b49c924f7a0cc6cbbc404e4439063febe51

General

Target

Remittance of $76,000.00.exe
Size

7KB
MD5

35004f2270d99d582de6c138614e602c
SHA1

726df09a779ac8d2cb23e0ff3e5aca32b5a7874e
SHA256

b828fabbbc217d50542d19c8f8fb2b49c924f7a0cc6cbbc404e4439063febe51
SHA512

4eb17d42c3c2b9a4299153784690dd2030a5a7572bc5f34e3038392ea5dc881f2f962777f0dea28a1cef59c8012a670c547d4dbcbc1a98c37ba785f984fcd9f8
SSDEEP

192:li64f60lNCQEeL+57HNCx0L0Lyfzn5G9:L4f9oveL+5rNCqL0LyfzE

Score

10^/10

purecrypter collection downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

http://85.31.45.42/Hmumry.png

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Remittance of $76,000.00.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Remittance of $76,000.00.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Remittance of $76,000.00.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Remittance of $76,000.00.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
31	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	powershell.exe
4544	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	Remittance of $76,000.00.exe
Token: SeDebugPrivilege	4544	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4544	2912	Remittance of $76,000.00.exe	83
PID 2912 wrote to memory of 4544	2912	Remittance of $76,000.00.exe	83
PID 2912 wrote to memory of 4544	2912	Remittance of $76,000.00.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Remittance of $76,000.00.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Remittance of $76,000.00.exe

C:\Users\Admin\AppData\Local\Temp\Remittance of $76,000.00.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance of $76,000.00.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jthvzurt.p4x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2912-133-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2912-135-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/2912-136-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/2912-137-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2912-138-0x0000000007960000-0x0000000007982000-memory.dmp

Filesize
136KB

Download
memory/2912-158-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2912-170-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2912-169-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2912-168-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2912-167-0x0000000008C40000-0x0000000008E02000-memory.dmp

Filesize
1.8MB

Download
memory/2912-166-0x0000000008A20000-0x0000000008A70000-memory.dmp

Filesize
320KB

Download
memory/2912-134-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/2912-165-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4544-139-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download
memory/4544-156-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-157-0x0000000006440000-0x000000000645A000-memory.dmp

Filesize
104KB

Download
memory/4544-155-0x00000000075C0000-0x0000000007C3A000-memory.dmp

Filesize
6.5MB

Download
memory/4544-160-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-159-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-161-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-154-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/4544-144-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4544-142-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4544-143-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-141-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4544-140-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing