Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PureCrypter

69
Global rank
26 infographic chevron month
Month rank
20 infographic chevron week
Week rank
0
IOCs

First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.

Loader
Type
Unknown
Origin
2 March, 2021
First seen
11 February, 2025
Last seen

How to analyze PureCrypter with ANY.RUN

Type
Unknown
Origin
2 March, 2021
First seen
11 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is PureCrypter malware?

PureCrypter is a .NET-based loader malware first observed in March 2021. It is designed to deploy various payloads, including remote access trojans (RATs), information stealers, and other malicious tools on compromised systems. The malware is often sold on underground forums, with prices ranging from $20 to $60 per build, making it accessible to a wide range of cybercriminals.

The malware was developed by a threat actor known as PureCoder, who markets it as a customizable and reliable loader for spreading malware. PureCrypter has been linked to notable campaigns distributing AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT, targeting individuals and organizations worldwide.

PureCrypter has been used in campaigns targeting financial institutions, healthcare organizations, and individual users. Its ability to deliver a wide variety of malware makes it a versatile and dangerous tool in the hands of cybercriminals.

To see how PureCrypter actually operates, you can upload its sample into ANY.RUN sandbox and check its behavior inside a secure environment.

PureCrypter analyzed inside ANY.RUN sandbox PureCrypter analyzed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

PureCrypter malware technical details

The primary functionalities and features of PureCrypter include:

  • Deploys various malware types such as AgentTesla, SnakeKeylogger, RedLine Stealer, and AsyncRAT.
  • Uses SmartAssembly to obfuscate its code, making it difficult for antivirus tools to detect.
  • Encrypts and compresses payloads to conceal malicious activities during delivery.
  • Injects payloads into legitimate processes to bypass security measures and evade detection.
  • Ensures continued presence on the infected system through registry modifications and startup entries.
  • Sold on underground forums with options for customization, making it accessible to cybercriminals with varying technical expertise.
  • Delivered via phishing campaigns with malicious attachments (e.g., disguised .mp4, .pdf, or executable files).

Often used in campaigns against financial, healthcare, and individual targets globally.

PureCrypter malware execution process

To see how PureCrypter operates, let’s upload its sample to the ANY.RUN sandbox.

PureCrypter typically spreads through malicious downloads or phishing attacks. Once a user executes the infected file, the malware begins its execution chain. Upon execution, PureCrypter decrypts its payload in memory to avoid leaving traces on the disk, making it harder for traditional antivirus solutions to detect. The decrypted payload is then injected into a legitimate system process, helping the malware blend in with normal system activities and further evade detection.

In our case, the targeted process is MSBuild, but PureCrypter may also inject into other legitimate system processes, such as InstallUtil.

Malicious process displayed in ANY.RUN sandbox Malicious process displayed in ANY.RUN sandbox

In addition to process injection, PureCrypter leverages various trusted system tools. For example, in this scenario, it ran PowerShell to add Product.exe and its associated processes to the antivirus exclusion list, reducing the likelihood of detection.

Process tree of PureCrypter analysis inside ANY.RUN Process tree of PureCrypter analysis inside ANY.RUN

After establishing itself within a legitimate process, PureCrypter connects to its command-and-control (C2) server. Through this connection, attackers can issue commands, download additional payloads, or exfiltrate data from the infected machine. Ultimately, PureCrypter executes its primary malicious payload, which can range from ransomware or spyware to other forms of malware designed to steal data or compromise the system.

To ensure persistence after a reboot, PureCrypter may modify registry entries, create scheduled tasks, or use other persistence techniques. It can also self-delete after execution to erase evidence of its presence.

MITRE ATT&CK sub-technique identified by ANY.RUN sandbox MITRE ATT&CK sub-technique identified by ANY.RUN sandbox

In our example, the injected MSBuild process ran the Command Prompt (CMD) to terminate itself and remove the initial Product.exe file.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on PureCrypter Malware

To collect up-to-date intelligence on PureCrypter, use Threat Intelligence Lookup.

This service provides access to a vast database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can gather detailed data on threats, including IPs, domains, file names, and process artifacts.

Search results for PureCrypter in Threat Intelligence Lookup Search results for PureCrypter in Threat Intelligence Lookup

For instance, to investigate PureCrypter, you can search by its threat name or use a related artifact. A query like threatName:"PureCrypter" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

PureCrypter is a dangerous malware capable of deploying various threats while evading detection through obfuscation and encryption. Tools like ANY.RUN can help to analyze suspicious files and URLs to prevent attacks.

ANY.RUN offers real-time malware analysis with features like visual execution chains and script tracing, helping users detect threats effectively.

Sign up for a free ANY.RUN account today and analyze unlimited malware attacks!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More