PureCrypter
PureCrypter is a fully-featured malware loader, developed by a threat actor called "PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PureCrypter can set multiple Registry Run keys to establish persistence.[1] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
PureCrypter can execute PowerShell commands to exclude files from EDR and to self-delete.[1][2] |
| Enterprise | T1622 | Debugger Evasion |
PureCrypter has the ability to call |
|
| Enterprise | T1678 | Delay Execution |
PureCrypter has the ability to delay for a specified number of seconds before execution.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
PureCrypter can decrypt downloaded resources and parse internal files to determine its settings.[1][2] |
|
| Enterprise | T1685 | Disable or Modify Tools |
PureCrypter has executed |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
PureCrypter can use AES to encrypt system information sent to the C2.[2] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
PureCrypter can send a TLS 1.2 encrypted infection message via Discord webhook.[1] |
||
| Enterprise | T1480 | Execution Guardrails |
PureCrypter code contains an ExclusionRegionNames option where it can compare the results of |
|
| .002 | Mutual Exclusion |
PureCrypter code contains a global mutex.[1] |
||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
PureCrypter can set |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
PureCrypter can execute a PowerShell command to self-delete.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
PureCrypter can download additional payloads for execution on the compromised host.[1][2] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
PureCrypter has used multiple file names to appear legitimate such as firefox\firefox.exe, Google\chrome.exe, and Taskmgr.exe.[1] |
| .008 | Masquerading: Masquerade File Type |
PureCrypter has used a .NET downloader named 63342221.BAT and has used .jpg, .png, and .log as false extensions for malicious files.[1] |
||
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
PureCrypter has used SmartAssembly and NET-Reactor for string encryption and control flow obfuscation.[1][2] |
| .016 | Obfuscated Files or Information: Junk Code Insertion |
PureCrypter can insert junk code to avoid detection.[1] |
||
| Enterprise | T1057 | Process Discovery |
PureCrypter can enumerate processes on compromised hosts.[2] |
|
| Enterprise | T1055 | Process Injection |
PureCrypter can inject its final stage into another process on the targeted system.[1] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
PureCrypter can maintain persistence with scheduled tasks.[2] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
PureCrypter can identify installed antivirus solutions.[2] |
| Enterprise | T1082 | System Information Discovery |
PureCrypter can enumerate a targeted system's SerialNumber and Version.[1][2] |
|
| Enterprise | T1614 | System Location Discovery |
PureCrypter can use |
|
| Enterprise | T1033 | System Owner/User Discovery |
PureCrypter can retrieve the username from targeted machines.[2] |
|
| Enterprise | T1673 | Virtual Machine Discovery |
PureCrypter can identify virtual machines by querying the WMI object Win32_ComputerSystem for manufacturer and model and check it against the regular expression Microsoft|VMWare|Virtual.[1] |
|
| Enterprise | T1102 | Web Service |
PureCrypter can use Telegram or Discord to send infection status messages.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0099 | APT-C-36 |
APT-C-36 has used PureCrypter during operations.[2] |