{"id":6639,"date":"2024-01-16T05:45:36","date_gmt":"2024-01-16T05:45:36","guid":{"rendered":"\/cybersecurity-blog\/?p=6639"},"modified":"2026-02-10T13:47:18","modified_gmt":"2026-02-10T13:47:18","slug":"pure-malware-family-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/","title":{"rendered":"A Full Analysis of the Pure Malware Family: Unique and Growing Threat"},"content":{"rendered":"\n<p>In this article, we\u2019re analyzing one of the most unusual crypters\u2014 <strong>PureCrypter<\/strong>, and a multifunctional stealer \u2014 <strong>PureLogs<\/strong>. We&#8217;ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect PureCrypter and PureLogs.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why did we decide to undertake this analysis?<\/strong>&nbsp;<\/h2>\n\n\n\n<p>While analyzing Public Submissions, we came across several interesting samples. We were intrigued by unusual traffic that showed signs of encryption operations on executable files with short keys, as well as TCP connections with high entropy in the connections.&nbsp;<\/p>\n\n\n\n<p>Inside, all samples looked different from other malware and were very similar to each other. Through network analysis, we found a couple of articles dedicated to PureCrypter and the family, which shed light on this group, but we wanted to add our insights and combine all the information in one place.&nbsp;<\/p>\n\n\n\n<p>Our objectives were:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study the distribution system&nbsp;<\/li>\n\n\n\n<li>Investigate the distinctive features of PureCrypter and PureLogs&nbsp;<\/li>\n\n\n\n<li>Develop detection methods for PureCrypter and PureLogs&nbsp;<\/li>\n\n\n\n<li>Examine the traffic&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Pure: overview of the malware family&nbsp;<\/h2>\n\n\n\n<p>The distribution of PureCoder products began in March 2021, according to information provided by the developer on the the malware\u2019s old website.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"168\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/1-1.png\" alt=\"\" class=\"wp-image-6641\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/1-1.png 683w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/1-1-300x74.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/1-1-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/1-1-270x66.png 270w\" sizes=\"(max-width: 683px) 100vw, 683px\" \/><figcaption class=\"wp-element-caption\">Information about the service on the old website<\/figcaption><\/figure><\/div>\n\n\n<p>On the main page of Pure\u2019s current website, there is a message stating that the software is used for educational and penetration testing purposes.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"170\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1.png\" alt=\"\" class=\"wp-image-6642\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1-300x50.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1-768x128.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1-370x61.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1-270x45.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/2-1-740x123.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The website lies about educational and pentesting nature of the software<\/figcaption><\/figure><\/div>\n\n\n<p>However, it&#8217;s worth noting that we observe a trend where the code sold is actually being used for malicious purposes. Here are examples on services that tell us about the distribution of these products along with other malware:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/submissions\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN <\/a><a href=\"https:\/\/app.any.run\/submissions\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">Submissions<\/a> (PureCrypter, PureLogs)&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/bazaar.abuse.ch\/browse.php?search=tag%3ApureCrypter\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Abuse.ch Bazaar<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"354\" height=\"201\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/3.png\" alt=\"\" class=\"wp-image-6643\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/3.png 354w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/3-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/3-270x153.png 270w\" sizes=\"(max-width: 354px) 100vw, 354px\" \/><figcaption class=\"wp-element-caption\">Telegram update<\/figcaption><\/figure><\/div>\n\n\n<p>Pure\u2019s update notes tell us that since March 2023, it is also sold through a Telegram bot. Telegram bots make purchasing malware more automated and anonymous. Bot usage shows that the author is developing the service, exploring new channels, and scaling up.&nbsp;<\/p>\n\n\n\n<p>Here are all the products that this group distributes under the guise of &#8220;educational purposes&#8221;:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"866\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-1024x866.png\" alt=\"\" class=\"wp-image-6644\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-1024x866.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-300x254.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-768x650.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-370x313.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-270x228.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4-740x626.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/4.png 1058w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Pure products<\/figcaption><\/figure><\/div>\n\n\n<p>Despite the claim that these products are distributed for educational purposes, the presence of silent miners, botnets, and hidden HVNC seems odd.&nbsp;<\/p>\n\n\n\n<p>Comments and ratings on Pure\u2019s website reveal high demand \u2014 every month there are at least couple of purchases.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-1024x421.png\" alt=\"\" class=\"wp-image-6645\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-1024x421.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-300x123.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-768x316.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-370x152.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5-740x305.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/5.png 1052w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Comments and reviews on Pure\u2019s website<\/figcaption><\/figure><\/div>\n\n\n<p>We attempted to follow the purchase flow and found that users are to make a cryptocurrency payment In Bitcoin. The payment page offers several Bitcoin wallets. These wallets are likely part of a Bitcoin mixer. The activity in these wallets started between <strong>May 19-26, 2023<\/strong>, and as of the writing of this article, one of them already had <strong>250 transactions amounting to $32,000 <\/strong>(<a href=\"https:\/\/www.blockchain.com\/en\/explorer\/addresses\/btc\/bc1qxwx4plkrm4e7cn95dja46jwv64ug4qecdt2efl\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">see it on Blockhain.com<\/a>).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"200\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-1024x200.png\" alt=\"\" class=\"wp-image-6646\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-1024x200.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-300x58.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-768x150.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-370x72.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-270x53.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6-740x144.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/6.png 1375w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Details about the Cryptocurrency wallet<\/figcaption><\/figure><\/div>\n\n\n<p>So far, we&#8217;ve established that there is a wide range of Pure malware, it is popular, and it has existed for several years. Now, let&#8217;s move on to the technical analysis of the Pure family.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Staged and Stage-less loader&nbsp;<\/h2>\n\n\n\n<p>The deployment of products from the Pure family usually begins with a loader that includes both Staged and Stage-less payloads. Let&#8217;s analyze the behavior using <strong>PureCrypter <\/strong>as an example.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nPerform in-depth malware analysis in <span class=\"highlight\">ANY.RUN<\/span>\n<br>\nTry all features for 14 days at no cost\n&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/\" rel=\"noopener\" target=\"_blank\">\nRequest a demo\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What is PureCrypter?<\/strong>&nbsp;<\/h3>\n\n\n\n<p>PureCrypter is a crypter (or obfuscator), as its name suggests, that has a set of algorithms for data obfuscation and encryption. In combination, they hide malware from antivirus programs and also make it difficult to analyze for analysts.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"933\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-933x1024.jpg\" alt=\"\" class=\"wp-image-6647\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-933x1024.jpg 933w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-273x300.jpg 273w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-768x843.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-370x406.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-270x296.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1-740x812.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-1.jpg 1018w\" sizes=\"(max-width: 933px) 100vw, 933px\" \/><figcaption class=\"wp-element-caption\">Behaviour flow of PureCrypter<\/figcaption><\/figure><\/div>\n\n\n<p>As seen in the diagram above, the loader has two stages: Staged and Stage-less payload. The decrypted resources contain libraries such as <strong>Protobuf-net <\/strong>and <strong>Costura<\/strong>. Using <strong>Protobuf-net<\/strong>, data are deserialized, forming a configuration with the compressed malware. Ultimately, after decompression, the malware is launched with parameters from the configuration in a new process.&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s examine each variant separately.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Staged Loader<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-52\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"52\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        3ACD90196DCF53DD6E265DC9C89B3CB0C47648A3B7AC8F226C6B4B98F39F2FC8\u00a0<br>\n<a class=\"wpdt-link-content\" style=\"color: #009cff;\" href=\"https:\/\/app.any.run\/tasks\/dff8744c-8e6b-425b-9ecf-0ca14b55f97b\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\"  rel=\"\" target=\"_blank\" data-cell-id=\"02\" data-link-url=\"https:\/\/app.any.run\/tasks\/dff8744c-8e6b-425b-9ecf-0ca14b55f97b\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" data-link-text=\"View the task\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">View the task<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-52'>\ntable#wpdtSimpleTable-52{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-52 td, table.wpdtSimpleTable52 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The static analysis of the sample under examination reveals that it&#8217;s written in .NET:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"678\" height=\"61\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/tinyspecial.png\" alt=\"\" class=\"wp-image-6648\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/tinyspecial.png 678w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/tinyspecial-300x27.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/tinyspecial-370x33.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/tinyspecial-270x24.png 270w\" sizes=\"(max-width: 678px) 100vw, 678px\" \/><figcaption class=\"wp-element-caption\">Information from DIE&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After analyzing the sample in the <a href=\"http:\/\/any.run\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktolanding&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> sandbox, we determined that a file with an .mp4 extension is downloaded:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-1024x713.jpg\" alt=\"\" class=\"wp-image-6649\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-1024x713.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-300x209.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-768x534.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-370x257.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-270x188.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2-740x515.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-2.jpg 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Payload download<\/figcaption><\/figure><\/div>\n\n\n<p>Additionally, we found examples downloading payloads with extensions like <a href=\"https:\/\/app.any.run\/tasks\/073f7830-512b-40e9-aedd-48fb6b8442ea\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">.vdf<\/a>, <a href=\"https:\/\/app.any.run\/tasks\/99129474-c14d-4f4a-94cd-a1ee9cd6d769\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">.mp3<\/a>, etc. <strong>This is another characteristic of the loader \u2014 to download files with legitimate extensions.<\/strong>&nbsp;<\/p>\n\n\n\n<p>In the image above, the downloaded file is not an actual .mp4 file, but an encrypted payload. It&#8217;s challenging to determine the encryption method right away, so we will analyze its internals.&nbsp;<\/p>\n\n\n\n<p>Code analysis in DnSpy allowed us to establish that the downloaded <strong>payload is encrypted with an XOR operation<\/strong>, with a key length of 3 bytes. You can see the overall scheme of payload downloading and decryption below:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"796\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-1024x796.jpg\" alt=\"\" class=\"wp-image-6650\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-1024x796.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-300x233.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-768x597.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-1536x1194.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-370x288.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-270x210.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-385x300.jpg 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3-740x575.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-3.jpg 1605w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source code<\/figcaption><\/figure><\/div>\n\n\n<p>To decrypt the file, we will use our <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=XOR(%7B'option':'Latin1','string':'335'%7D,'Standard',false)\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-1024x246.png\" alt=\"\" class=\"wp-image-6651\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-1024x246.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-300x72.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-768x185.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-370x89.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-270x65.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10-740x178.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/10.png 1476w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">XOR with&nbsp;the key \u201d335\u201d in Cyberchef<\/figcaption><\/figure><\/div>\n\n\n<p>As evident from the screenshot above, the downloaded and decrypted file is an executable or a library.&nbsp;<\/p>\n\n\n\n<p>Additionally, this type of encryption is not the only possible method and can be substituted with <a href=\"https:\/\/app.any.run\/tasks\/b44e3f63-03a8-478c-871c-7e5ecc63c0e6\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">reverse encryption<\/a> and others.&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s move on to the analysis of the stage-less loader.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage-less Loader&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-53\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"53\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        5030BC30C14139D9C48DC4CD175DE6C966E83A9059035D18AF33DDA06F2541AB\n<br>\n<a class=\"wpdt-link-content\" style=\"color: #009cff;\" href=\"https:\/\/app.any.run\/tasks\/6c7f3628-64ec-47f5-8b2c-7ad9e0ff4bf6\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\"  rel=\"\" target=\"_blank\" data-cell-id=\"01\" data-link-url=\"https:\/\/app.any.run\/tasks\/6c7f3628-64ec-47f5-8b2c-7ad9e0ff4bf6\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" data-link-text=\"View the task\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">View the task<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-53'>\ntable#wpdtSimpleTable-53{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-53 td, table.wpdtSimpleTable53 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Unlike the Staged payload, the examined Stage-less payload is protected by SmartAssembly, which you can see in DIE:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"680\" height=\"74\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/11.png\" alt=\"\" class=\"wp-image-6652\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/11.png 680w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/11-300x33.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/11-370x40.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/11-270x29.png 270w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><figcaption class=\"wp-element-caption\">Information from DIE<\/figcaption><\/figure><\/div>\n\n\n<p>In the stage-less loader, the payload is stored in a resource in an encrypted form:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"364\" height=\"139\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/12.png\" alt=\"\" class=\"wp-image-6653\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/12.png 364w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/12-300x115.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/12-270x103.png 270w\" sizes=\"(max-width: 364px) 100vw, 364px\" \/><figcaption class=\"wp-element-caption\">Resource on board<\/figcaption><\/figure><\/div>\n\n\n<p>First, the resource is decrypted using AES with embedded keys (KEY: dd2e7fe3fd9cb1b2f91a16460c8acb5b and IV: 80f3f9712e01f98fab92ab84ec40a8e5) and then decompressed:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"489\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-1024x489.png\" alt=\"\" class=\"wp-image-6654\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-1024x489.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-768x367.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13-740x354.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/13.png 1042w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Rijndael Algorithm<\/figcaption><\/figure><\/div>\n\n\n<p>We will use a <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Drop_bytes(0,4,false)AES_Decrypt(%7B'option':'Hex','string':'dd2e7fe3fd9cb1b2f91a16460c8acb5b'%7D,%7B'option':'Hex','string':'80f3f9712e01f98fab92ab84ec40a8e5'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)Raw_Inflate(16,0,'Adaptive',false,false)\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a> for decryption.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-1024x342.png\" alt=\"\" class=\"wp-image-6656\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-1024x342.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-768x257.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-370x124.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14-740x248.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/14.png 1480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Cyberchef \u2013 <strong>AES+decompress<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>As a result, we get a .NET Assembly without executable code but with an encrypted resource, which is also decrypted and loaded into modules:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"325\" height=\"139\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/15.png\" alt=\"\" class=\"wp-image-6657\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/15.png 325w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/15-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/15-270x115.png 270w\" sizes=\"(max-width: 325px) 100vw, 325px\" \/><figcaption class=\"wp-element-caption\"><strong>Nchya <\/strong>resource<\/figcaption><\/figure><\/div>\n\n\n<p>The decryption of the second resource is done using 3DES with the key KEY &#8220;68433890991609093ead30a9d75c39db&#8221; and IV &#8220;4A64DD85048433D7&#8221; (CBC model).&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s use a <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Triple_DES_Decrypt(%7B'option':'Hex','string':'68433890991609093ead30a9d75c39db'%7D,%7B'option':'Hex','string':'4A64DD85048433D7'%7D,'CBC','Raw','Raw')\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a> to decrypt this resource:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"263\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-1024x263.png\" alt=\"\" class=\"wp-image-6658\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-1024x263.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-300x77.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-768x197.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-370x95.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-270x69.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16-740x190.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/16.png 1481w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Cyberchef \u2013 <strong>TripleDES<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>After decryption, we obtain an executable file or library, similar to the case with the Staged Loader.&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s move on to the analysis of the obtained files.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PureCrypter&nbsp;<\/h2>\n\n\n\n<p>Comparing the entry points of Staged and stage-less <strong>PureCrypter<\/strong>, we see that they are identical. From this, we can conclude that they are essentially the same.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s EntryPoint&nbsp;of <strong>PureCrypter<\/strong>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1018\" height=\"936\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4.jpg\" alt=\"\" class=\"wp-image-6704\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4.jpg 1018w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4-300x276.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4-768x706.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4-370x340.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4-270x248.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-4-740x680.jpg 740w\" sizes=\"(max-width: 1018px) 100vw, 1018px\" \/><figcaption class=\"wp-element-caption\">EntryPoint of PureCrypter<\/figcaption><\/figure><\/div>\n\n\n<p><strong>PureCrypter<\/strong> can carry two types of payloads &#8211; 3rd party malware or its own proprietary product, <strong>PureLogs<\/strong>. Let&#8217;s examine each option separately.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3rd party malware (AgentTesla)&nbsp;<\/h3>\n\n\n\n<p>The program begins decrypting and loading the .NET Assembly resource, similar to the stage-less process. This happens in an identical manner &#8211; using <strong>AES (Rijndael) encryption<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"797\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-1024x797.jpg\" alt=\"\" class=\"wp-image-6661\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-1024x797.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-300x233.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-768x597.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-370x288.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-270x210.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-385x300.jpg 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5-740x576.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Screenshot-5.jpg 1234w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Resource decryption with AES (Rijndael)<\/figcaption><\/figure><\/div>\n\n\n<p>We can use this <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Drop_bytes(0,4,false)AES_Decrypt(%7B'option':'Hex','string':'701033bcf969fa2d69bbc3bf96e990ce'%7D,%7B'option':'Hex','string':'80f3f9712e01f98fab92ab84ec40a8e5'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)Raw_Inflate(16,0,'Adaptive',false,false)\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a> for decryption.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-1024x342.png\" alt=\"\" class=\"wp-image-6662\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-1024x342.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-768x256.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-370x124.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20-740x247.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/20.png 1480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">CyberChef <strong>AES+inflate<\/strong><\/figcaption><\/figure><\/div>\n\n\n<p>After decrypting with the AES algorithm, the program takes this resource and proceeds to the second stage of its decryption.&nbsp;<\/p>\n\n\n\n<p>The first action the program performs is parsing the data of the header. The first 30 bytes are the length of the data, and the next 10 bytes are the XOR key:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"552\" height=\"149\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/21.png\" alt=\"\" class=\"wp-image-6663\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/21.png 552w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/21-300x81.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/21-370x100.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/21-270x73.png 270w\" sizes=\"(max-width: 552px) 100vw, 552px\" \/><figcaption class=\"wp-element-caption\">The header<\/figcaption><\/figure><\/div>\n\n\n<p>From the header, a license and key are obtained. The data can be decrypted using <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'7C%2068%2054%2006%20ED%2038%200C%2074%2053%202A%2094%2088%20BA%2058%2008%203D'%7D,'Standard',false)To_Hexdump(16,false,false,false)&amp;input=NzcgMDQgM0QgNjUgREEgMDggNEEgNEQgNjAgMUQgQUMgQkEgQjggNUEgMTUgMUQgQ0UgRjkgNzkgRjggOUQgNjIgRkIgM0UgNDIgQ0QgNDYgMzcgOEQgREUgMTggMEMgNkEgQzUgQkEgNzcgOUYgNDkgODkgMzUgQzggREQgNTAgNUYgNDMgREUgQjUgNzE\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">this CyberChef recipe<\/a>. A similar string was already seen in <strong>ZGRat<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"253\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-1024x253.png\" alt=\"\" class=\"wp-image-6664\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-1024x253.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-300x74.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-768x190.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-270x67.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22-740x183.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/22.png 1477w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">XOR<\/figcaption><\/figure><\/div>\n\n\n<p>After calculating the data, the program selects a method of decryption. In our case, it is AES.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"370\" height=\"381\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/23.png\" alt=\"\" class=\"wp-image-6665\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/23.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/23-291x300.png 291w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/23-270x278.png 270w\" sizes=\"(max-width: 370px) 100vw, 370px\" \/><figcaption class=\"wp-element-caption\">Encryption selection<\/figcaption><\/figure><\/div>\n\n\n<p>In AES, <strong>IV<\/strong> is used, which is the XOR key 7C685406ED380C74532A9488BA58083D, and the KEY is the last 32 bytes in the decrypted header b2912dfe705af74a11e7d2bf3786103116adee71727185419bf7c4d7f986bd4c.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"292\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-1024x292.png\" alt=\"\" class=\"wp-image-6666\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-1024x292.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-768x219.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-370x105.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-270x77.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24-740x211.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/24.png 1478w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We can decrypt the data using a <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=AES_Decrypt(%7B'option':'Hex','string':'b2%2091%202d%20fe%2070%205a%20f7%204a%2011%20e7%20d2%20bf%2037%2086%2010%2031%2016%20ad%20ee%2071%2072%2071%2085%2041%209b%20f7%20c4%20d7%20f9%2086%20bd%204c'%7D,%7B'option':'Hex','string':'7C%2068%2054%2006%20ED%2038%200C%2074%2053%202A%2094%2088%20BA%2058%2008%203D'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)To_Hexdump(16,false,false,false\/disabled)\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a>.&nbsp;<\/p>\n\n\n\n<p>As a result of the decryption, we obtain a .NET Assembly with a set of resources and encrypted strings before the MZ header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"309\" height=\"190\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/25.png\" alt=\"\" class=\"wp-image-6667\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/25.png 309w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/25-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/25-270x166.png 270w\" sizes=\"(max-width: 309px) 100vw, 309px\" \/><figcaption class=\"wp-element-caption\">Resources after decryption<\/figcaption><\/figure><\/div>\n\n\n<p>The header looks as follows:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>4 bytes at the beginning and end (for calculation purposes)&nbsp;<\/li>\n\n\n\n<li>1 byte for the message size highlighted in red&nbsp;<\/li>\n\n\n\n<li>And the message itself afterwards.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"343\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/26.png\" alt=\"\" class=\"wp-image-6668\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/26.png 725w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/26-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/26-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/26-270x128.png 270w\" sizes=\"(max-width: 725px) 100vw, 725px\" \/><figcaption class=\"wp-element-caption\">The header<\/figcaption><\/figure><\/div>\n\n\n<p>The messages can be decrypted using the following <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Hex('Auto')Encode_text('UTF-16LE%20(1200)')XOR(%7B'option':'Hex','string':'b50f'%7D,'Standard',false)Decode_text('UTF-16LE%20(1200)')&amp;input=RTAgQkYgQTUgRTAgQkYgOUQgRTAgQkYgOEQgRTAgQkYgOTIgRTAgQkYgOUEgRTAgQkUgOUIgRTAgQkYgQTUgRTAgQkYgODcgRTAgQkYgOUEgRTAgQkYgODUgRTAgQkYgOTAgRTAgQkYgODcgRTAgQkYgODEgRTAgQkYgOUMgRTAgQkYgOTAgRTAgQkYgODYgRTAgQkUgOUIgRTAgQkYgQTcgRTAgQkYgOTAgRTAgQkYgODYgRTAgQkYgOUEgRTAgQkYgODAgRTAgQkYgODcgRTAgQkYgOTYgRTAgQkYgOTAgRTAgQkYgODYgRTAgQkUgOUIgRTAgQkYgODcgRTAgQkYgOTAgRTAgQkYgODYgRTAgQkYgOUEgRTAgQkYgODAgRTAgQkYgODcgRTAgQkYgOTYgRTAgQkYgOTAgRTAgQkYgODY\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe:<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"328\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-1024x328.png\" alt=\"\" class=\"wp-image-6669\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-1024x328.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-768x246.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27-740x237.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/27.png 1478w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Encoding and XOR<\/figcaption><\/figure><\/div>\n\n\n<p>The resource zJSLu is decrypted in the same way \u2014 using AES and decompression. It contains strings that will be used later (if the flag is set in the configuration).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"543\" height=\"418\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/28.png\" alt=\"\" class=\"wp-image-6670\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/28.png 543w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/28-300x231.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/28-370x285.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/28-270x208.png 270w\" sizes=\"(max-width: 543px) 100vw, 543px\" \/><figcaption class=\"wp-element-caption\">The zJSLu resource, once decrypted (subject to serialization)<\/figcaption><\/figure><\/div>\n\n\n<p>The malware uses <strong>protobuf <\/strong>for deserializing data, which is taken from the Issal resource after prior decompression.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"939\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29.png\" alt=\"\" class=\"wp-image-6671\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29.png 939w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29-300x193.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29-768x494.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29-370x238.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29-270x174.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/29-740x476.png 740w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><figcaption class=\"wp-element-caption\">Deserialization<\/figcaption><\/figure><\/div>\n\n\n<p>At this point, having decrypted all the resources, we arrive at the program&#8217;s main function. But before starting the analysis of the main function, let&#8217;s take a look at what the <strong>PureCrypter <\/strong>builder interface looks like:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"773\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-1024x773.png\" alt=\"\" class=\"wp-image-6672\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-1024x773.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-300x227.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-768x580.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-370x279.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-270x204.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-740x559.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/30.png 1042w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">PureCrypter builder<\/figcaption><\/figure><\/div>\n\n\n<p>From the screenshot, we can see a large set of functions, including anti-debugging, anti-deletion, and others. Let&#8217;s go through the main code and see what techniques are used in this version of the crypter.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"278\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31.png\" alt=\"\" class=\"wp-image-6673\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31.png 981w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31-768x218.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31-370x105.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31-270x77.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/31-740x210.png 740w\" sizes=\"(max-width: 981px) 100vw, 981px\" \/><figcaption class=\"wp-element-caption\">Code with configuration analysis and checks.<\/figcaption><\/figure><\/div>\n\n\n<p>In the version under study, the check for the presence of a virtual machine is disabled, but the functionality is present in the code of the program. It includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CheckRemoteDebuggerPresent to find a debugger;&nbsp;<\/li>\n\n\n\n<li>Checks for the presence of the Sandboxie virtual environment by searching for the loaded library sbiedll.dll;&nbsp;<\/li>\n\n\n\n<li>Executes a WMI query \u201cselect * from Win32_BIOS\u201d to check the BIOS version;&nbsp;<\/li>\n\n\n\n<li>Executes a WMI query \u201cselect * from Win32_ComputerSystem\u201d and looks for one of the substrings &#8220;Microsoft|VMWare|Virtual&#8221; in the results;&nbsp;<\/li>\n\n\n\n<li>Checks the width and height of the monitor screen, which should be more than 1024 and 768 pixels, respectively;&nbsp;<\/li>\n\n\n\n<li>Checks whether the program is running on a 64-bit OS, as most modern operating systems are 64-bit;&nbsp;<\/li>\n\n\n\n<li>Compares the current username with one from a list.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Other capabilities include:&nbsp;<\/p>\n\n\n\n<p>1. A feature to reset the network interface by executing the command \u201ccmd \/c ipconfig \/release,\u201d presumably to prevent security tools or antivirus software from communicating with their servers. In the sample analyzed, this feature is disabled.&nbsp;<\/p>\n\n\n\n<p>2. Ability to use a mutex to prevent the launch of a duplicate copy. In this instance, the mutex is named &#8220;Gjrstoo,&#8221; but this option is not active.&nbsp;<\/p>\n\n\n\n<p>3. A function to check if it is running with administrator privileges and to restart with the necessary permissions if needed. Moreover, the malware uses the command &#8220;set-mppreference -exclusionpath &#8221; to add the entire \u201cC:\u201d drive to the antivirus exclusions. This function is also disabled.&nbsp;<\/p>\n\n\n\n<p>4. A delay execution feature, where the delay occurs N times for 1 second each.&nbsp;<\/p>\n\n\n\n<p>5. Capability to execute an arbitrary PowerShell command passed in Base64 via the \u201c-enc\u201d parameter. This function is also disabled.&nbsp;<\/p>\n\n\n\n<p>6. Displaying a fake error message, but this feature is also turned off.&nbsp;<\/p>\n\n\n\n<p>7. Ability to establish persistence in the system through Run registry keys or the Startup directory.&nbsp;<\/p>\n\n\n\n<p>The purpose of using \u201cipconfig \/renew\u201d is unclear, but the functionality exists (it allows the release of all dynamic IP addresses assigned to the computer using a DHCP server).&nbsp;<\/p>\n\n\n\n<p>Subsequently, the payload is loaded, which can be downloaded from the internet (as indicated by the HTTP Client), or from a resource (as in our example).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-1024x342.png\" alt=\"\" class=\"wp-image-6674\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-1024x342.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-768x257.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-370x124.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32-740x247.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/32.png 1047w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Injection options<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Ordinary library loading&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Decryption of the resource followed by loading&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Unclear \u2014 possibly, decryption is executed here.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Subsequently, the malware reverses bytes and is decompressed using the same GZIP, the recipe for which can be found <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Drop_bytes(0,4,false)Gunzip()\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-1024x260.png\" alt=\"\" class=\"wp-image-6675\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-1024x260.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-300x76.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-768x195.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-370x94.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-270x68.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33-740x188.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/33.png 1483w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Cyberchef \u2013 Gunzip<\/figcaption><\/figure><\/div>\n\n\n<p>After decompression, PureCrypter creates a new process:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"262\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-1024x262.png\" alt=\"\" class=\"wp-image-6676\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-1024x262.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-300x77.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-768x196.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-370x95.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-270x69.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34-740x189.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/34.png 1239w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>And injects code into this process.&nbsp;<\/p>\n\n\n\n<p>This is how malware is commonly distributed, often including stealers and RATs. Now let&#8217;s move on to analyzing PureLogs, which can distribute PureCrypter.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PureLogs Loader&nbsp;<\/h2>\n\n\n\n<p><strong>PureLogs&nbsp; <\/strong>malware is typically distributed by a loader covered by the NET Reactor protector. <strong>PureLogs <\/strong>is a small library that is involved in data theft. Usually, the library is loaded by the loader from a C2 server.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"761\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2.jpg\" alt=\"\" class=\"wp-image-6677\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2.jpg 799w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2-300x286.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2-768x731.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2-370x352.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2-270x257.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-2-740x705.jpg 740w\" sizes=\"(max-width: 799px) 100vw, 799px\" \/><\/figure><\/div>\n\n\n<p>Analysis of the loading traffic revealed that in the first connection an encrypted message is sent, and an encrypted response is received. All of this occurs within the loader.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"732\" height=\"489\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/36.png\" alt=\"\" class=\"wp-image-6678\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/36.png 732w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/36-300x200.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/36-370x247.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/36-270x180.png 270w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><figcaption class=\"wp-element-caption\">First connection in the loader<\/figcaption><\/figure><\/div>\n\n\n<p>Both messages within the first connection are encrypted in the same way, but the response has an additional layer of serialization and undergoes re-encryption with byte reversal.&nbsp;<\/p>\n\n\n\n<p>First, the data is compressed and then encrypted using 3DES with a key (which is stored in the loader&#8217;s resources, along with the IP data and client ID). However, the key itself is encrypted using md5Crypto, resulting in the hash &#8216;9F4D71CF2393253FB5324C6731B962F8&#8217;.&nbsp;<\/p>\n\n\n\n<p>After encryption, the program sends this message to the server. The process begins with sending 4 bytes indicating the size of the message, followed by the message itself.&nbsp;<\/p>\n\n\n\n<p>A complete decryption is presented <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Triple_DES_Decrypt(%7B'option':'Hex','string':'9F4D71CF2393253FB5324C6731B962F8'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw')Drop_bytes(0,4,false)Gunzip()&amp;input=M0Y3MkIzNzQwNjEwRTQ0QTQzM0Q3MTAxMjI2NEIwNzI0QkExNTVDRjhEREIzQUFCMkVFRjBBMDFDNDVBNjFBN0RFNUYxREExRjg2RjI1OTU2MkM4OEY1NUVERDFEMUI3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"259\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-1024x259.png\" alt=\"\" class=\"wp-image-6679\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-1024x259.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-300x76.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-768x194.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-370x94.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-270x68.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37-740x187.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/37.png 1100w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decryption key<\/figcaption><\/figure><\/div>\n\n\n<p>Now let&#8217;s consider the received message. After decryption, the data undergoes deserialization and is then re-encrypted again (3DES+GZIP), similar to the initial process. However, at the end, a Reverse bytes operation is applied.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"412\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-1024x412.png\" alt=\"\" class=\"wp-image-6680\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-1024x412.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-768x309.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38-740x298.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/38.png 1101w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">TripleDES+GZIP (you can immediately remove the first 4 bytes of length or use DROP)<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-1024x474.png\" alt=\"\" class=\"wp-image-6681\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-1024x474.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-300x139.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-768x356.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-370x171.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-270x125.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39-740x343.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/39.png 1099w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">After deserialization: TripleDES+GZIP+Reverse<\/figcaption><\/figure><\/div>\n\n\n<p>As a result, we obtain our library, which is responsible for stealing data and then sending it onward. Let&#8217;s take a closer look at it.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PureLogs<\/h2>\n\n\n\n<p><strong>PureLogs <\/strong>is a multi-functional stealer. Like <strong>PureCrypter<\/strong>, <strong>PureLogs <\/strong>has obfuscation and obfuscation methods that complicate its analysis. But what\u2019s really interesting is its network traffic, which we will discuss in this section.&nbsp;<\/p>\n\n\n\n<p>Like other samples of the Pure family, PureLogs is sometimes confused with ZGRat \u2014 we are going to clear up this misunderstanding in this article.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s get to the analysis.&nbsp;<\/p>\n\n\n\n<p>Looking at the class library, we immediately see a class called PlgCore (We assume this stands for PureLogsCore).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"345\" height=\"293\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/40.png\" alt=\"\" class=\"wp-image-6682\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/40.png 345w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/40-300x255.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/40-270x229.png 270w\" sizes=\"(max-width: 345px) 100vw, 345px\" \/><figcaption class=\"wp-element-caption\">ClassLibrary1<\/figcaption><\/figure><\/div>\n\n\n<p>Serialized data enters the library as an argument from a resource, which the loader has loaded from the C2 server.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"869\" height=\"284\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41.png\" alt=\"\" class=\"wp-image-6683\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41.png 869w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41-768x251.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41-370x121.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/41-740x242.png 740w\" sizes=\"(max-width: 869px) 100vw, 869px\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"123\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/42.png\" alt=\"\" class=\"wp-image-6684\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/42.png 608w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/42-300x61.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/42-370x75.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/42-270x55.png 270w\" sizes=\"(max-width: 608px) 100vw, 608px\" \/><figcaption class=\"wp-element-caption\">Configuration data<\/figcaption><\/figure><\/div>\n\n\n<p>Inside, they are deserialized and stored as configuration.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"910\" height=\"291\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43.png\" alt=\"\" class=\"wp-image-6685\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43.png 910w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43-768x246.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/43-740x237.png 740w\" sizes=\"(max-width: 910px) 100vw, 910px\" \/><figcaption class=\"wp-element-caption\">Configuration<\/figcaption><\/figure><\/div>\n\n\n<p>Next, the library iterates through a vast number of functions and collects data from the system:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Browser data, including extensions&nbsp;<\/li>\n\n\n\n<li>Data about Crypto Wallets&nbsp;<\/li>\n\n\n\n<li>Complete information about the user&nbsp;<\/li>\n\n\n\n<li>Full information about the PC configuration&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Below is an example of some of the system data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"275\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-1024x275.png\" alt=\"\" class=\"wp-image-6686\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-1024x275.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-300x80.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-768x206.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-1536x412.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-370x99.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-270x72.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44-740x199.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/44.png 1543w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">System data&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, all the collected data is serialized. Following the same principle, the data is encrypted before transmission: compression and 3DES encryption using a pre-existing key. Now, all the data ready for transmission is transformed, and the final connection is made to send the gathered data.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"730\" height=\"388\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/45.png\" alt=\"\" class=\"wp-image-6687\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/45.png 730w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/45-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/45-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/45-270x144.png 270w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><figcaption class=\"wp-element-caption\">Data transmission (first 4 bytes indicate size, followed by the message)<\/figcaption><\/figure><\/div>\n\n\n<p>Then, there are three transmissions: the first and last are hashes of the data, and the second one contains the actual data.&nbsp;<\/p>\n\n\n\n<p>To decrypt the traffic, we can use <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Triple_DES_Decrypt(%7B'option':'Hex','string':'9F4D71CF2393253FB5324C6731B962F8'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw')Drop_bytes(0,4,false)Gunzip()\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">this CyberChef recipe<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"259\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-1024x259.png\" alt=\"\" class=\"wp-image-6688\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-1024x259.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-300x76.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-768x195.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-370x94.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-270x68.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46-740x188.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/46.png 1480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decryption of the first message (the last one is identical)<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"257\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-1024x257.png\" alt=\"\" class=\"wp-image-6689\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-1024x257.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-300x75.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-768x193.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-370x93.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-270x68.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47-740x186.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/47.png 1480w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decryption of the data<\/figcaption><\/figure><\/div>\n\n\n<p>And with this, we have dissected the traffic and the operation of PureLogs. Now, let&#8217;s consider another malware variant from the Pure family \u2014 a miner.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PureMiner&nbsp;<\/h2>\n\n\n\n<p>While examining samples on other services with detections for <strong>PureLogs <\/strong>and <strong>PureCrypter<\/strong>, we came across several samples that didn&#8217;t appear to be like either but exhibited a strikingly similar signature.&nbsp;<\/p>\n\n\n\n<p><strong>Firstly, the traffic they generated followed an identical pattern <\/strong>(first 4 bytes for length, followed by the remaining bytes for data). What&#8217;s even more intriguing is that they were encrypted in the same fashion (using <strong>3DES <\/strong>encryption with a key that was similarly encrypted through <strong>MD5Crypto<\/strong>).&nbsp;<\/p>\n\n\n\n<p><strong>Secondly, there were similarities in code behavior and module loading<\/strong>, such as the use of the <strong>proto-buf<\/strong> module for processing configuration data.&nbsp;<\/p>\n\n\n\n<p>Thirdly, the code structure and its resemblance to PureCrypter<strong> <\/strong>and PureLogs code were notable.&nbsp;<\/p>\n\n\n\n<p>Lastly, the configurations showed similarities in their structure.&nbsp;<\/p>\n\n\n\n<p>The diagram below shows this resemblance to PureLogs. It involves the transmission and reception of data from the C2 server (with the data being encrypted using 3DES).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"599\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-3.jpg\" alt=\"\" class=\"wp-image-6690\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-3.jpg 687w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-3-300x262.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-3-370x323.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/Scheme-3-270x235.jpg 270w\" sizes=\"(max-width: 687px) 100vw, 687px\" \/><\/figure><\/div>\n\n\n<p>Based on all of this information, we have decided to conduct an investigation into the discovered sample:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-54\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"54\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        A20F2623022BC0D5BDC49B235736CC791A3392198D7A601B2478C1974D5D9F17\n<br>\n<a class=\"wpdt-link-content\" style=\"color: #009cff;\" href=\"https:\/\/app.any.run\/tasks\/48550b8f-542b-4e92-aaea-f6f0378f1763\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\/\"  rel=\"\" target=\"_blank\" data-cell-id=\"01\" data-link-url=\"https:\/\/app.any.run\/tasks\/48550b8f-542b-4e92-aaea-f6f0378f1763\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\/\" data-link-text=\"View the task\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">View the task<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-54'>\ntable#wpdtSimpleTable-54{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-54 td, table.wpdtSimpleTable54 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The first thing we noticed during our analysis was the sample&#8217;s behavior when executed with administrative privileges (we will see why we executed the sample with admin privileges later on).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"421\" height=\"406\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/49.png\" alt=\"\" class=\"wp-image-6691\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/49.png 421w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/49-300x289.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/49-370x357.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/49-270x260.png 270w\" sizes=\"(max-width: 421px) 100vw, 421px\" \/><figcaption class=\"wp-element-caption\">The process of restarting using cmd<\/figcaption><\/figure><\/div>\n\n\n<p>After the restart, the program creates a scheduled task in Task Scheduler to launch its copy at <strong>%APPDATA%\/HResult\/TypeId.exe<\/strong>. Following this, there is an injection into a new legitimate process.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"483\" height=\"165\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/50.png\" alt=\"\" class=\"wp-image-6692\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/50.png 483w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/50-300x102.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/50-370x126.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/50-270x92.png 270w\" sizes=\"(max-width: 483px) 100vw, 483px\" \/><figcaption class=\"wp-element-caption\">The process is launched under Task Scheduler<\/figcaption><\/figure><\/div>\n\n\n<p>After analyzing the behavior, we proceeded with an in-depth analysis of the sample. We discovered its configuration, which utilizes <strong>proto-buf<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"257\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-1024x257.png\" alt=\"\" class=\"wp-image-6693\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-1024x257.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-300x75.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-768x193.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-370x93.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-270x68.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51-740x186.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/51.png 1322w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Configuration<\/figcaption><\/figure><\/div>\n\n\n<p>Additionally, there is an <a href=\"https:\/\/app.any.run\/tasks\/598e35d5-5beb-40a8-a92b-8a1e083cb3e6\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">executable file<\/a> that appears to be responsible for executing commands from the C2 server. In the strings, there is a mention of the XMRIG miner. We suspect that this is a distributor of the miner, which runs it quietly.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"555\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52.png\" alt=\"\" class=\"wp-image-6694\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52.png 759w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52-300x219.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52-370x271.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52-270x197.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/52-740x541.png 740w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><figcaption class=\"wp-element-caption\">Strings from the miner<\/figcaption><\/figure><\/div>\n\n\n<p>We decided to decrypt the traffic to understand what information is being transmitted and what we receive in response. We managed to obtain the decryption key. It was no surprise that the traffic was encrypted using the same 3DES encryption, and the first 4 bytes represent the length, which we remove:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"200\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-1024x200.png\" alt=\"\" class=\"wp-image-6695\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-1024x200.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-300x59.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-768x150.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-370x72.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-270x53.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53-740x144.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/53.png 1471w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decrypted traffic<\/figcaption><\/figure><\/div>\n\n\n<p>The decryption recipe is available <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Triple_DES_Decrypt(%7B'option':'Hex','string':'925E549529B04126D00619D03525C542'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw')&amp;input=QkZFRjA5QkJGM0VGRUYyNTMyRjQ5MDhBQkMwMzRBN0Q5N0IwNUMzRDE4MkNBODJDNzgxNTFDODFCMDBEMDcxODBBNjA0MjZBMTNDODEyQzM2QUE2NDFGNjQ0MUExRjVEOUEzMjA5RTlFRkUwOEU5MTgzNzdEMzA5NTQ4QUREOERGNzcxMEVGMUI3QTMwODI5MjJEMUU4NEJGODc1OUEwMEUxQTBGRDI4OURCQ0E3NjY1NkJCODEzMTQ4QjIwODA1QTMzNzgzNDJCNEFBNjIwOTFEM0Q5MTQ5QTNCMThGMTIxQzIwQTFFQTdBNkYwMDY2\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">here<\/a>. And here&#8217;s the link to a <a href=\"https:\/\/cyberchef.org\/#recipe=Triple_DES_Decrypt(%7B'option':'Hex','string':'925E549529B04126D00619D03525C542'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw')&amp;input=NzY0NDg2Qjc3NUJEREE5QzkzMThCRDMxQjE1QzU2MzgxQTc5NkFGODMxM0RFRTM5MDY3NTk1QTEzQjkxNTE0OEMwQjRFRjE2OUM1NDQ2NUVGQ0IyQUEyQzNGRDk2QjMzQjIwNjIxMTI1OTFFNkM4NzgxNDdCQjgyNjRCRDUwMEExNkFEMjM4NERDNzdBNjAwQTMyNkVDRkE0NjI1MDQ5MjdCQ0JEQjAzQTUwNjJFQUVBNEMyREQ5MzlGQ0FDMDVBQjU0Qzg0NEEyREI2N0IzM0NDNDAyM0UzNzlBQTQ5NjNBMjExNTk2QkZGNDkxQkMxM0E4RTdCOTE5NDI2QzY5Mzg1MzkzNjE1RkFEQkNCQkRDQUI1QTUzNjYzNUFCNjgwMzE4REFFOEZFMDVGNjI3OUFDMzI5ODg1RjhGNzA2MDUyQTI2MDE1MzY0NkI4RUNCRDIwMjI4MzM3NjJFNzI2MUUwQ0M0RTEzMkI2QzlGQjIzRjFDQ0JERDM2RUQzMzc5NTVDMkY5QjA5MTAyNUZFMzY0RTY0RUExRTY5OEU2NDRDODhBNDA3N0VDQ0NDN0M4MjE4MEMxQTFDQjJBRTIzQTE5Q0NEQTZBQUZDNThBNUEwNUY5MTFEQzgyMUY5RUMxMjUzRDYzMjlFMDRFNTRDMjk2NkY5NzY0NTNDOTAxNjE2Q0Q2MDIwQzVGRDRCQzhBMkJCMUUwOEIyMDE5MjAwNUZBMDc0NzRCMkFEQjRBMjk5N0ZEODMwQkYzNjI2QjkyODc1MUZENUFFMEIxNDZCNTcyMDVCQ0MzMDVFMjJCMjEwRDIyQ0M0QzkwRkIxMTk3ODMxMUI2N0ZBOTlCNUI1MTAwODA2NTI0NzI0MUZDQjIzREEyRTk3NjdGMDVDMjQwNDU3NTRGODFGNEQ4NzFEMTY3OTc3OUIyODUwRjgzMDM5QTVGQzQ4RDNCRTg5REZDN0U2MzQ4MDA4MUFFRUYzMjQxNUY3QUFFODUxRTA5RDIyOTg3QUNGRENDODQ1QUIzOTM0QjEyNDY4RjU5Q0ZFNDA2MkIzQUFGRjIyOUQzQjE2NTQ0ODA2OEM1RDg2NDU2NDM2QUMyRUMwMkRFNkJCOEUwODU0NUExMjgwNUFENDU5Mzg0QUUxMUU5MDU1NEY0QUIxQjZCQ0Q4QjA1OUMzRTI1M0RFNjQzQzRGREY1QUY\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">server response<\/a>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-1024x326.png\" alt=\"\" class=\"wp-image-6696\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-1024x326.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-768x245.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54-740x236.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/01\/54.png 1478w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Response from the server<\/figcaption><\/figure><\/div>\n\n\n<p>And with this, we have found another malware from the Pure family \u2014 a miner. PureMiner collects information about the system and sends it to C2. After this, it receives a response with mining instructions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Let\u2019s wrap up the analysis&nbsp;<\/h2>\n\n\n\n<p>To summarize \u2014 this was one of the most comprehensive investigations we\u2019ve done so far in ANY.RUN. We analyzed a widely popular and rapidly spreading malware family \u2014 Pure \u2014 and even uncovered a new variant \u2014 a miner.&nbsp;<\/p>\n\n\n\n<p>Pure tools masquerade as legitimate software created for \u201ceducational purposes\u201d. But analysis of the code clearly shows that it is a powerful malicious tool. Recently, the creators began distributing it through a telegram bot, which indicates that they are scaling an operation. Currently, Pure receives at least a couple of orders every month, but it\u2019s highly likely that its popularity will start skyrocketing in the near future.&nbsp;<\/p>\n\n\n\n<p>We hope that this analysis helped you better understand how to reverse and detect malware from the Pure family, so if that happens, you\u2019ll be well prepared.&nbsp;<\/p>\n\n\n\n<p>If you have any information to add about Pure \u2014 we\u2019d love to hear it. Let\u2019s discuss in the comments below. And as always, make sure to share your thoughts about the article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p>ANY.RUN is an interactive malware analysis sandbox that streamlines the work of SOC and DFIR teams. Our service is trusted by 300,000 professionals worldwide who use it to investigate both emerging and persistent threats.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a free trial of ANY.RUN for 14 days to explore all the features we offer.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktodemo&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK Matrix<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-55\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"55\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1140 - Deobfuscate\/Decode Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Deobfuscate\/Decode resourses and files\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082 - System Information Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Pure-malware discovery system information\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1083 - File and Directory Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PureLogs discoveries files for stealing\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1119 - Automated Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collect information\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1005 - Data from Local System\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Search local system sources for stealing\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001 - Application Layer Protocol:Web Protocols\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Connection and delivery\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-55'>\ntable#wpdtSimpleTable-55{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-55 td, table.wpdtSimpleTable55 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>PureCrypter<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">FIle<\/h4>\n\n\n\n<p>0f60f086665fd4d442821851c878c21b&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-56\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"56\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        0f60f086665fd4d442821851c878c21b\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        a4d4f31fb794bbf59be542f493aea9f9e3857d4\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-56'>\ntable#wpdtSimpleTable-56{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-56 td, table.wpdtSimpleTable56 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Dropped file&nbsp;<\/h4>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-57\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"57\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Path\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Roaming\\ydVSL\\ydVSL.exe\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-57'>\ntable#wpdtSimpleTable-57{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-57 td, table.wpdtSimpleTable57 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Connections&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>5[.]181.80.126&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">URLs<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Http[x]:\/\/5.181.80.126\/Hjysa.mp4&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">FIle<\/h4>\n\n\n\n<p>QUOTATION_NOVQTRFA00541\u00b7PDF.scr&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">FIle <\/h4>\n\n\n\n<p>0f60f086665fd4d442821851c878c21b<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-58\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"58\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        83999a2ce0109ea4adbecb3a96744e8c\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4b94f4b23b157c7ae2df54e251cd4d22c683134d\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-58'>\ntable#wpdtSimpleTable-58{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-58 td, table.wpdtSimpleTable58 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Domain&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gator3220.hostgator[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>PureLogs<\/strong>&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">FIle<\/h4>\n\n\n\n<p>RH2023-17.exe&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-59\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"59\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        a7c14a39a5ee93ca25ab793be06c1478\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        e5b27dc1672088a5a584467511a02844d45f4eb6af92a96373c803fd3dc5e6b7\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        c9eb61977fa0fd1bf1c9e7175a0088289e6b9bbd\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-59'>\ntable#wpdtSimpleTable-59{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-59 td, table.wpdtSimpleTable59 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Dropped file<\/h4>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-60\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"60\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Path\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Roaming\\Xokmrjn.exe\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        e5b27dc1672088a5a584467511a02844d45f4eb6af92a96373c803fd3dc5e6b7\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-60'>\ntable#wpdtSimpleTable-60{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-60 td, table.wpdtSimpleTable60 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-61\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"61\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Path\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Local\\Temp\\Costura\\1485B29524EF63EB83DF771D39CCA767\\64\\sqlite.interop.dll\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5f0e72e1839db4aa41f560e0a68c7a95c9e1656bc2f4f4ff64803655d02e5272\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-61'>\ntable#wpdtSimpleTable-61{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-61 td, table.wpdtSimpleTable61 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Connections&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>91[.]92.120.119&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Domain&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Teleturismo[.]it&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>PureMiner<\/strong>&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">FIle <\/h4>\n\n\n\n<p>491310d10c0ea2d217c90a2403c20bea&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-62\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"62\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        491310d10c0ea2d217c90a2403c20bea\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5bd371ae2edc0c2cf926e1543e4cdd7d92c83577\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-62'>\ntable#wpdtSimpleTable-62{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-62 td, table.wpdtSimpleTable62 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Dropped file<\/h4>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-63\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"63\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Path\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        C:\\Users\\admin\\AppData\\Roaming\\HResult\\TypeId.exe\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-63'>\ntable#wpdtSimpleTable-63{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-63 td, table.wpdtSimpleTable63 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Connections&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>91[.]92.240.95&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Domain&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Farmjo[.]mine.nu&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">More Submissions&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f972efd3-c053-42c2-a2d4-eade0f40acfb\/\">https:\/\/app.any.run\/tasks<\/a><a href=\"https:\/\/app.any.run\/tasks\/f972efd3-c053-42c2-a2d4-eade0f40acfb\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">\/f972efd3-c053-42c2-a2d4-eade0f40acfb\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/c4344ee1-bcd6-438f-9aba-f13c1c3dcca9\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/ta<\/a><a href=\"https:\/\/app.any.run\/tasks\/c4344ee1-bcd6-438f-9aba-f13c1c3dcca9\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\">sks\/c4344ee1-bcd6-438f-9aba-f13c1c3dcca9\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/629232cd-67e4-4f3b-880d-34c3675931a0\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/629232cd-67e4-4f3b-880d-3<\/a><a href=\"https:\/\/app.any.run\/tasks\/629232cd-67e4-4f3b-880d-34c3675931a0\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\">4c3675931a0\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/50294ac2-f3c1-43bd-9bec-0527fb1b8443\/\">https:\/\/app.any.run\/tasks\/50294ac2<\/a><a href=\"https:\/\/app.any.run\/tasks\/50294ac2-f3c1-43bd-9bec-0527fb1b8443\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=puremalwareanalysis&amp;utm_content=linktoservice&amp;utm_term=150124\" target=\"_blank\" rel=\"noreferrer noopener\">-f3c1-43bd-9bec-0527fb1b8443\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we\u2019re analyzing one of the most unusual crypters\u2014 PureCrypter, and a multifunctional stealer \u2014 PureLogs. We&#8217;ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect PureCrypter and PureLogs.&nbsp; Why did we decide to undertake this analysis?&nbsp; While analyzing Public Submissions, we came across several interesting [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":6698,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-6639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analysis of the Pure Malware Family: Unique and Growing Threat<\/title>\n<meta name=\"description\" content=\"Explore a detailed analysis of PureCrypter, PureLogs, and PureMiner, three representatives of the Pure malware family.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x and Jane\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"25 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\"},\"author\":{\"name\":\"khr0x and Jane\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"A Full Analysis of the Pure Malware Family: Unique and Growing Threat\",\"datePublished\":\"2024-01-16T05:45:36+00:00\",\"dateModified\":\"2026-02-10T13:47:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\"},\"wordCount\":3433,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\",\"name\":\"Analysis of the Pure Malware Family: Unique and Growing Threat\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-01-16T05:45:36+00:00\",\"dateModified\":\"2026-02-10T13:47:18+00:00\",\"description\":\"Explore a detailed analysis of PureCrypter, PureLogs, and PureMiner, three representatives of the Pure malware family.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A Full Analysis of the Pure Malware Family: Unique and Growing Threat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg\",\"caption\":\"khr0x\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jane\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg\",\"caption\":\"Jane\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of the Pure Malware Family: Unique and Growing Threat","description":"Explore a detailed analysis of PureCrypter, PureLogs, and PureMiner, three representatives of the Pure malware family.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/","twitter_misc":{"Written by":"khr0x and Jane","Est. reading time":"25 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/"},"author":{"name":"khr0x and Jane","@id":"https:\/\/any.run\/"},"headline":"A Full Analysis of the Pure Malware Family: Unique and Growing Threat","datePublished":"2024-01-16T05:45:36+00:00","dateModified":"2026-02-10T13:47:18+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/"},"wordCount":3433,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/","name":"Analysis of the Pure Malware Family: Unique and Growing Threat","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-01-16T05:45:36+00:00","dateModified":"2026-02-10T13:47:18+00:00","description":"Explore a detailed analysis of PureCrypter, PureLogs, and PureMiner, three representatives of the Pure malware family.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/pure-malware-family-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"A Full Analysis of the Pure Malware Family: Unique and Growing Threat"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg","caption":"khr0x"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jane","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg","caption":"Jane"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6639"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=6639"}],"version-history":[{"count":17,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6639\/revisions"}],"predecessor-version":[{"id":18411,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6639\/revisions\/18411"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/6698"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=6639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=6639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=6639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}