Analysis of the Pure Malware Family: Unique and Growing Threat

This analysis dissects the Pure malware family, focusing on PureCrypter (a .NET crypter/loader) and PureLogs (a multifunctional stealer), their staged and stage-less loaders, encryption/decompression routines, and C2 traffic formats. The report details decryption recipes (XOR, AES/Rijndael, 3DES), protobuf-based configuration parsing, injection/persistence behaviors, and network IOCs. #PureCrypter #PureLogs

Keypoints

Pure family tools (PureCrypter, PureLogs, PureMiner) are distributed via a vendor site and a Telegram bot and are sold as “educational” tools but used maliciously.
Loaders come in two variants: Staged (downloads encrypted payloads with legitimate-looking extensions and uses a 3‑byte XOR) and Stage-less (payload stored in resources, decrypted with AES and 3DES, then decompressed).
Common crypto chain: payloads/resources are encrypted (XOR/AES/3DES), often compressed with GZIP, sometimes byte-reversed, then loaded into memory or injected into spawned processes.
PureCrypter decrypts resources (AES/3DES), deserializes protobuf configuration (protobuf-net), reverses bytes, gunzips, then launches/injects the final payload (third-party like AgentTesla or PureLogs).
PureLogs collects browser data, crypto wallets, user and system info, serializes/ compresses it, encrypts with 3DES (key stored/encrypted in resources), and sends three-part C2 traffic (hash, data, hash) with a 4-byte length prefix.
PureMiner samples share the same traffic/encryption/protobuf patterns, persist via scheduled tasks, deploy miners (XMRig), and perform process injection similar to other Pure variants.

MITRE Techniques

[T1140] Deobfuscate/Decode Files or Information – Used to decrypt and deobfuscate resources and payloads prior to execution (‘Deobfuscate/Decode resourses and files’)
[T1082] System Information Discovery – Pure family gathers system and environment details for profiling and selection (‘Pure-malware discovery system information’)
[T1083] File and Directory Discovery – PureLogs scans local files/directories for data to exfiltrate (‘PureLogs discoveries files for stealing’)
[T1119] Automated Collection – Automated collection routines aggregate browser data, wallets, and system info (‘Collect information’)
[T1005] Data from Local System – Stealer retrieves data from local sources prior to exfiltration (‘Search local system sources for stealing’)
[T1071.001] Application Layer Protocol:Web Protocols – Loader and stealer use HTTP-based connections and custom application-layer messaging for C2 (‘Connection and delivery’)

Indicators of Compromise

[SHA256] PureCrypter/Payload samples – 3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8, 5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
[MD5] Example file hashes – 0f60f086665fd4d442821851c878c21b, 491310d10c0ea2d217c90a2403c20bea
[File names] Dropped or observed files – QUOTATION_NOVQTRFA00541·PDF.scr, RH2023-17.exe
[Dropped paths] Persistence/install locations – C:UsersadminAppDataRoamingydVSLydVSL.exe, C:UsersadminAppDataRoamingHResultTypeId.exe
[IP addresses] Network C2 / payload hosting – 5.181.80.126, 91.92.120.119
[Domains/URLs] Hosting and C2 endpoints – http://5.181.80.126/Hjysa.mp4, Teleturismo[.]it (and Farmjo[.]mine.nu)

PureCrypter loaders operate in two modes. The staged loader fetches files that appear to be benign media or data (extensions like .mp4, .vdf, .mp3) but contain encrypted executables; these are XOR‑encrypted (key length often 3 bytes) and then written and decrypted at runtime. The stage-less variant embeds an AES‑encrypted resource (Rijndael with embedded key/IV), which is decrypted and decompressed to yield another encrypted resource; that second resource is decrypted (3DES, CBC with an embedded key/IV), decompressed, and loaded as a .NET assembly. Both flows commonly use Protobuf (protobuf-net) to deserialize configuration data, and Costura-style resources are used to bundle dependencies.

After decryption and decompression, PureCrypter reverses byte order where applicable, inflates GZIP streams, and either loads a third‑party .NET payload (example: AgentTesla) or its own PureLogs module. The runtime performs environment checks (VM/sandbox indicators, monitor size, username list, WMI BIOS/system queries) and can establish persistence via Run keys or Startup entries, use mutexes, and spawn a new process for reflective loading or injection. Injection options include standard library loading or decrypt‑then‑load from resources; final payload execution typically occurs in a newly created process to evade detection.

PureLogs (and related PureMiner variants) accept serialized configuration from the loader, enumerate and collect browser data, extensions, crypto wallet artifacts, user/system information, and then serialize the results. Traffic uses a 4‑byte length prefix followed by the message; messages are compressed (GZIP), encrypted with 3DES (keys stored/encrypted in resources, sometimes MD5‑derived), and responses may be re‑serialized, re‑encrypted, and byte‑reversed. Communication often follows a three‑part exchange (hash, payload, hash). The same 3DES+GZIP+reverse pattern and protobuf configuration structure also appear in miner samples that drop scheduled tasks, inject into legitimate processes, and pull XMRig or similar miner instructions from C2.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print