Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers

PureCrypter is a fully featured loader sold since 2021 that distributes a range of remote access trojans and information stealers. It uses a .NET-based, obfuscated, and encrypted delivery chain with protobuf-configured options for persistence, injection, and defense evasion to deliver final payloads such as SnakeKeylogger and other RATs. #PureCrypter #PureCoder #SnakeKeylogger #AgentTesla #Remcos # DcRAT

Keypoints

PureCrypter is a fully-featured loader being sold since at least March 2021
The malware has been observed distributing a variety of remote access trojans and information stealers
The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products
PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format
The infection chain includes a first-stage downloader, a second-stage injector, and final payload injection into a target process (SnakeKeylogger in MSBuild.exe)
The threat actor operates under the moniker “PureCoder” and offers a malware builder with additional tools for infection vectors
New features add anti-analysis/anti-defense capabilities (e.g., memory bombing, anti-delete, Discord/Telegram status reporting) and extensive persistence options

MITRE Techniques

[T1105] Ingress Tool Transfer – The application secretly downloads a .NET assembly from a command and control server to bypass security products. ‘The application secretly downloads a .NET assembly from a command and control server…’
[T1027] Obfuscated/Compressed Files and Information – The second-stage payload is obfuscated with the commercial tool SmartAssembly and is compressed/encrypted; the loader handles compressed/encrypted data via a resource resolver. ‘The module entrypoint first adds an assembly and a resource resolver… handle compressed and/or encrypted data.’
[T1055] Process Injection – PureCrypter injects the final malware payload inside another process; in this sample, a SnakeKeylogger payload is injected into MSBuild.exe. ‘injects the final malware payload inside another process. In this sample, PureCrypter injects a SnakeKeylogger sample inside the process MSBuild.exe.’
[T1036] Masquerading – The first-stage downloader is disguised as a fake date console application. ‘The first-stage is a simple downloader disguised as a fake date console application.’
[T1547.001] Registry Run Keys/Startup Folder – Persistence via startup mechanisms (Run key, Startup folder, etc.), including ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ and ‘Full path of FILENAME’. ‘Startup enumeration’ with registry key and value data like ‘FILENAME’ and its full path.
[T1562.001] Impair Defenses – Exclusion via PowerShell to bypass defenses (Set-MpPreference -ExclusionPath). ‘Run a Base64 encoded powershell command: “Set-MpPreference -ExclusionPath”’
[T1497] Virtualization/Sandbox Evasion – Anti-VM/sandbox checks via WMI data and environment queries. ‘Queries the WMI object Win32_BIOS for the computer’s SerialNumber and Version…’
[T1059.001] PowerShell – PowerShell-based actions (e.g., exclusion commands) are used as part of defense evasion and loader operation. ‘Base64 encoded powershell command’ referenced in the protobuf features.

Indicators of Compromise

[URL] Context – first two examples: http://amcomri.upro[.]site/.tmb/ID44/313606953372.jpg, https://cdn.discordapp[.]com/attachments/933024359981932666/934953013670449253/Koieiminr.jpg, and other URLs
[IMG hash] 4a88f9feaed04917f369fe5089f5c09f791bf1214673f6313196188e98093d74
[Hash] PureCrypter hash – 7bd6a945f1de0e390d2669c027549b49107bf116f8b064bf86b5e897794f46f9
[Hash] SnakeKeylogger hash – a6d53346613f2af382cd90163a9604d63f8d89a951896fc40eed00a116aa55c3
[URL] Additional example URLs – e.g., http://gbtak[.]ir/wp-content/846569297734.jpg, https://transfer[.]sh/get/3tWVO9/Evbccj.png (and many more)