Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PureCrypter

69
Global rank
25 infographic chevron month
Month rank
18 infographic chevron week
Week rank
0
IOCs

First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.

Loader
Type
Unknown
Origin
2 March, 2021
First seen
12 February, 2025
Last seen

How to analyze PureCrypter with ANY.RUN

Type
Unknown
Origin
2 March, 2021
First seen
12 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 226
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 600
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1496
comments 0

What is PureCrypter malware?

PureCrypter is a .NET-based loader malware first observed in March 2021. It is designed to deploy various payloads, including remote access trojans (RATs), information stealers, and other malicious tools on compromised systems. The malware is often sold on underground forums, with prices ranging from $20 to $60 per build, making it accessible to a wide range of cybercriminals.

The malware was developed by a threat actor known as PureCoder, who markets it as a customizable and reliable loader for spreading malware. PureCrypter has been linked to notable campaigns distributing AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT, targeting individuals and organizations worldwide.

PureCrypter has been used in campaigns targeting financial institutions, healthcare organizations, and individual users. Its ability to deliver a wide variety of malware makes it a versatile and dangerous tool in the hands of cybercriminals.

To see how PureCrypter actually operates, you can upload its sample into ANY.RUN sandbox and check its behavior inside a secure environment.

PureCrypter analyzed inside ANY.RUN sandbox PureCrypter analyzed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureCrypter malware technical details

The primary functionalities and features of PureCrypter include:

  • Deploys various malware types such as AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT.
  • Uses SmartAssembly to obfuscate its code, making it difficult for antivirus tools to detect.
  • Encrypts and compresses payloads to conceal malicious activities during delivery.
  • Injects payloads into legitimate processes to bypass security measures and evade detection.
  • Ensures continued presence on the infected system through registry modifications and startup entries.
  • Sold on underground forums with options for customization, making it accessible to cybercriminals with varying technical expertise.
  • Delivered via phishing campaigns with malicious attachments (e.g., disguised .mp4, .pdf, or executable files).

Often used in campaigns against financial, healthcare, and individual targets globally.

PureCrypter malware execution process

To see how PureCrypter operates, let’s upload its sample to the ANY.RUN sandbox.

PureCrypter typically spreads through malicious downloads or phishing attacks. Once a user executes the infected file, the malware begins its execution chain. Upon execution, PureCrypter decrypts its payload in memory to avoid leaving traces on the disk, making it harder for traditional antivirus solutions to detect. The decrypted payload is then injected into a legitimate system process, helping the malware blend in with normal system activities and further evade detection.

In our case, the targeted process is MSBuild, but PureCrypter may also inject into other legitimate system processes, such as InstallUtil.

Malicious process displayed in ANY.RUN sandbox Malicious process displayed in ANY.RUN sandbox

In addition to process injection, PureCrypter leverages various trusted system tools. For example, in this scenario, it ran PowerShell to add Product.exe and its associated processes to the antivirus exclusion list, reducing the likelihood of detection.

Process tree of PureCrypter analysis inside ANY.RUN Process tree of PureCrypter analysis inside ANY.RUN

After establishing itself within a legitimate process, PureCrypter connects to its command-and-control (C2) server. Through this connection, attackers can issue commands, download additional payloads, or exfiltrate data from the infected machine. Ultimately, PureCrypter executes its primary malicious payload, which can range from ransomware or spyware to other forms of malware designed to steal data or compromise the system.

To ensure persistence after a reboot, PureCrypter may modify registry entries, create scheduled tasks, or use other persistence techniques. It can also self-delete after execution to erase evidence of its presence.

MITRE ATT&CK sub-technique identified by ANY.RUN sandbox MITRE ATT&CK sub-technique identified by ANY.RUN sandbox

In our example, the injected MSBuild process ran the Command Prompt (CMD) to terminate itself and remove the initial Product.exe file.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on PureCrypter Malware

To collect up-to-date intelligence on PureCrypter, use Threat Intelligence Lookup.

This service provides access to a vast database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can gather detailed data on threats, including IPs, domains, file names, and process artifacts.

Search results for PureCrypter in Threat Intelligence Lookup Search results for PureCrypter in Threat Intelligence Lookup

For instance, to investigate PureCrypter, you can search by its threat name or use a related artifact. A query like threatName:"PureCrypter" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PureCrypter is a dangerous malware capable of deploying various threats while evading detection through obfuscation and encryption. Tools like ANY.RUN can help to analyze suspicious files and URLs to prevent attacks.

ANY.RUN offers real-time malware analysis with features like visual execution chains and script tracing, helping users detect threats effectively.

Sign up for a free ANY.RUN account today and analyze unlimited malware attacks!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More