File name:	e59f8c9c1aff8910a4936a24fb18fe61
Full analysis:	https://app.any.run/tasks/7dfaedc6-fbda-4a11-a925-ae9b7695f5c1
Verdict:	Malicious activity
Threats:	First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. Malware Trends Tracker >>>
Analysis date:	October 23, 2024, 08:22:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	purecrypter netreactor
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	E59F8C9C1AFF8910A4936A24FB18FE61
SHA1:	2BE32D743E0F8862DA396D628ED0372E202E39A6
SHA256:	1E8124EE85E5548A138ACA54512791DE6F0CC2DA916C91896CBF63BC73E6B4EF
SSDEEP:	98304:/i4KcRsAapDznDxgdHQgjj34nW/pm4JLeykwFjmrnUIxcQrbwRNidsnOTBWOzxHn:/

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:10:19 09:28:48+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware
PEType:	PE32+
LinkerVersion:	8
CodeSize:	2101248
InitializedDataSize:	1536
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	Tckdoh
FileVersion:	1.0.0.0
InternalName:	Tckdoh.exe
LegalCopyright:	Copyright © 2010
LegalTrademarks:	-
OriginalFileName:	Tckdoh.exe
ProductName:	Tckdoh
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

PID	Process	Filename		Type
6044	e59f8c9c1aff8910a4936a24fb18fe61.exe	C:\Users\admin\AppData\Local\cvchost.exe		executable
		MD5:E59F8C9C1AFF8910A4936A24FB18FE61	SHA256:1E8124EE85E5548A138ACA54512791DE6F0CC2DA916C91896CBF63BC73E6B4EF
6044	e59f8c9c1aff8910a4936a24fb18fe61.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs		text
		MD5:388B9D6488E0D6999A6F9D1DEC8DD729	SHA256:7404B936F50F23AD5D699072FD142DD23788F7CC7DDB164AC4CC67E8CDF0BA5B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3952	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3952	RUXIMICS.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.178:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3952	RUXIMICS.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3952	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	104.126.37.178 104.126.37.185 104.126.37.123 104.126.37.177 104.126.37.176 104.126.37.186 104.126.37.130 104.126.37.184 104.126.37.128	whitelisted
google.com	172.217.16.142	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	13.69.116.107	whitelisted

General Info

e59f8c9c1aff8910a4936a24fb18fe61

E59F8C9C1AFF8910A4936A24FB18FE61

2BE32D743E0F8862DA396D628ED0372E202E39A6

1E8124EE85E5548A138ACA54512791DE6F0CC2DA916C91896CBF63BC73E6B4EF

98304:/i4KcRsAapDznDxgdHQgjj34nW/pm4JLeykwFjmrnUIxcQrbwRNidsnOTBWOzxHn:/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PURECRYPTER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Manual execution by a user

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings