Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PureCrypter

59
Global rank
12 infographic chevron month
Month rank
13 infographic chevron week
Week rank
0
IOCs

First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.

Loader
Type
Unknown
Origin
2 March, 2021
First seen
15 March, 2025
Last seen

How to analyze PureCrypter with ANY.RUN

Type
Unknown
Origin
2 March, 2021
First seen
15 March, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 334
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 444
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 599
comments 0

What is PureCrypter malware?

PureCrypter is a .NET-based loader malware first observed in March 2021. It is designed to deploy various payloads, including remote access trojans (RATs), information stealers, and other malicious tools on compromised systems. The malware is often sold on underground forums, with prices ranging from $20 to $60 per build, making it accessible to a wide range of cybercriminals.

The malware was developed by a threat actor known as PureCoder, who markets it as a customizable and reliable loader for spreading malware. PureCrypter has been linked to notable campaigns distributing AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT, targeting individuals and organizations worldwide.

PureCrypter has been used in campaigns targeting financial institutions, healthcare organizations, and individual users. Its ability to deliver a wide variety of malware makes it a versatile and dangerous tool in the hands of cybercriminals.

To see how PureCrypter actually operates, you can upload its sample into ANY.RUN sandbox and check its behavior inside a secure environment.

PureCrypter analyzed inside ANY.RUN sandbox PureCrypter analyzed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureCrypter malware technical details

The primary functionalities and features of PureCrypter include:

  • Deploys various malware types such as AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT.
  • Uses SmartAssembly to obfuscate its code, making it difficult for antivirus tools to detect.
  • Encrypts and compresses payloads to conceal malicious activities during delivery.
  • Injects payloads into legitimate processes to bypass security measures and evade detection.
  • Ensures continued presence on the infected system through registry modifications and startup entries.
  • Sold on underground forums with options for customization, making it accessible to cybercriminals with varying technical expertise.
  • Delivered via phishing campaigns with malicious attachments (e.g., disguised .mp4, .pdf, or executable files).

Often used in campaigns against financial, healthcare, and individual targets globally.

PureCrypter malware execution process

To see how PureCrypter operates, let’s upload its sample to the ANY.RUN sandbox.

PureCrypter typically spreads through malicious downloads or phishing attacks. Once a user executes the infected file, the malware begins its execution chain. Upon execution, PureCrypter decrypts its payload in memory to avoid leaving traces on the disk, making it harder for traditional antivirus solutions to detect. The decrypted payload is then injected into a legitimate system process, helping the malware blend in with normal system activities and further evade detection.

In our case, the targeted process is MSBuild, but PureCrypter may also inject into other legitimate system processes, such as InstallUtil.

Malicious process displayed in ANY.RUN sandbox Malicious process displayed in ANY.RUN sandbox

In addition to process injection, PureCrypter leverages various trusted system tools. For example, in this scenario, it ran PowerShell to add Product.exe and its associated processes to the antivirus exclusion list, reducing the likelihood of detection.

Process tree of PureCrypter analysis inside ANY.RUN Process tree of PureCrypter analysis inside ANY.RUN

After establishing itself within a legitimate process, PureCrypter connects to its command-and-control (C2) server. Through this connection, attackers can issue commands, download additional payloads, or exfiltrate data from the infected machine. Ultimately, PureCrypter executes its primary malicious payload, which can range from ransomware or spyware to other forms of malware designed to steal data or compromise the system.

To ensure persistence after a reboot, PureCrypter may modify registry entries, create scheduled tasks, or use other persistence techniques. It can also self-delete after execution to erase evidence of its presence.

MITRE ATT&CK sub-technique identified by ANY.RUN sandbox MITRE ATT&CK sub-technique identified by ANY.RUN sandbox

In our example, the injected MSBuild process ran the Command Prompt (CMD) to terminate itself and remove the initial Product.exe file.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on PureCrypter Malware

To collect up-to-date intelligence on PureCrypter, use Threat Intelligence Lookup.

This service provides access to a vast database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can gather detailed data on threats, including IPs, domains, file names, and process artifacts.

Search results for PureCrypter in Threat Intelligence Lookup Search results for PureCrypter in Threat Intelligence Lookup

For instance, to investigate PureCrypter, you can search by its threat name or use a related artifact. A query like threatName:"PureCrypter" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PureCrypter is a dangerous malware capable of deploying various threats while evading detection through obfuscation and encryption. Tools like ANY.RUN can help to analyze suspicious files and URLs to prevent attacks.

ANY.RUN offers real-time malware analysis with features like visual execution chains and script tracing, helping users detect threats effectively.

Sign up for a free ANY.RUN account today and analyze unlimited malware attacks!

HAVE A LOOK AT

Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More