Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One

Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One
Pure Crypter is a malware-as-a-service loader widely used by threat actors, employing advanced evasion techniques to bypass Windows 11 security. Distributed via Telegram, it uses deceptive marketing with FUD claims, but multiple AVs detect it. eSentire developed tools for improved detection. (Affected: Windows systems, Security researchers, Threat actors)

Keypoints :

  • Pure Crypter is a MaaS loader distributed via an automated Telegram channel and sold on Hackforums.
  • Uses multiple evasion methods: AMSI bypass, DLL unhooking, anti-VM/debugging, and patching NtManageHotPatch API to bypass Windows 11 24H2 security.
  • Deceptive marketing leverages avcheck[.]net FUD scan results, conflicting with VirusTotal detections by multiple AV/EDR solutions.
  • The malware primarily deploys info stealers like Lumma and Rhadamanthys, commonly using ClickFix for initial access.
  • Pure Crypter features a GUI with payload management, execution quotas, and configurable evasion/persistence options.
  • Operational security includes ToS agreements to bypass forum restrictions and use of quarantined scanning platforms avoiding AV vendor detection.
  • Persistence techniques use mutexes, startup folder scripts, scheduled tasks, registry run keys, and junk data padding.
  • Supports multiple injection techniques: Reflection (.NET), RunPE (process hollowing), and shellcode execution.
  • eSentire developed PureCrypterPunisher to automate unpacking, config extraction, and string decryption for analysis.
  • Recommendations include disabling wscript.exe via AppLocker, redirecting risky file extensions, employee training, and NGAV/EDR deployment.

MITRE Techniques :

  • Process Injection (T1055) – Uses RunPE (process hollowing) and Reflection to inject malicious payloads into processes.
  • Deobfuscate/Decode Files or Information (T1140) – Decrypts and decompresses Protobufs-based configuration data.
  • Disable or Modify Tools (T1562) – Bypasses AMSI by patching AmsiScanBuffer and EtwEventWrite APIs in memory.
  • System Network Configuration Discovery (T1016) – Disables internet connectivity via ipconfig.exe to prevent AV backend communication.
  • Indicator Removal on Host (T1070) – Uses DLL unhooking to load clean system libraries, bypassing AV/EDR hooks.
  • Boot or Logon Autostart Execution (T1547) – Establishes persistence via registry Run keys, scheduled tasks, and startup folder scripts.
  • Parent Process Spoofing (T1134) – Spoofs parent process attribute during process creation to evade detection.
  • Execution Guardrails (T1480) – Anti-VM, anti-debug, screen resolution, and username checks to avoid execution in sandbox or analyst environments.
  • Command and Scripting Interpreter (T1059) – Executes arbitrary PowerShell commands for persistence and evasion.
  • File and Directory Permissions Modification (T1222) – Adds Windows Defender exclusions via encoded PowerShell commands.

Indicator of Compromise :

  • The article highlights various malware configuration strings decrypted from Protobufs, useful for detection and signature creation.
  • Indicators include mutex names used for single instance enforcement, which can be monitored for unusual occurrence.
  • Detection of patched API calls such as AmsiScanBuffer and NtManageHotPatch could signal Pure Crypter activity.
  • Persistence method artifacts like modified registry Run keys, scheduled task names, and suspicious VBScript files in startup folders serve as IOCs.
  • The use of Telegram bot @ThePureBot for distribution could be an IOC related to command and control or malware delivery.
  • API hooking bypass techniques through DLL unhooking involving kernel32.dll and ntdll.dll are heuristic IOCs.
  • Sample hashes were submitted to VirusTotal, detecting multiple AV solutions; these hashes may serve as IOCs for threat hunting.


Read more: https://www.esentire.com/blog/pure-crypter-malware-analysis-99-problems-but-detection-aint-one

Views: 49