File name:

5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d

Full analysis: https://app.any.run/tasks/f6b3d082-d95f-4a82-8165-a1b38d00559b
Verdict: Malicious activity
Threats:

First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.

Analysis date: January 10, 2025, 18:08:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
purecrypter
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

57E3EC29544A0C1841BA8C9BEF860CF9

SHA1:

C1C1AC0421A0B16D07C412F8957335348F24A64B

SHA256:

5AAFD78C24D92F25DD27DFEA5492FA2212D52586AF05400E55853F3F2218DE8D

SSDEEP:

49152:nHlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZX:cAGQX21RBt7QjTmcaTH/vU4do9Pcjq1A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PURECRYPTER has been detected (YARA)

      • RegSvcs.exe (PID: 900)
  • SUSPICIOUS

    • Connects to unusual port

      • RegSvcs.exe (PID: 900)
  • INFO

    • Checks supported languages

      • 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe (PID: 3812)
      • RegSvcs.exe (PID: 900)
    • Reads mouse settings

      • 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe (PID: 3812)
    • The sample compiled with english language support

      • 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe (PID: 3812)
    • Reads the computer name

      • RegSvcs.exe (PID: 900)
    • Create files in a temporary directory

      • 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe (PID: 3812)
    • .NET Reactor protector has been detected

      • RegSvcs.exe (PID: 900)
    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 768000
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:03 10:25:03+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe no specs #PURECRYPTER regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3812"C:\Users\admin\AppData\Local\Temp\5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe" C:\Users\admin\AppData\Local\Temp\5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
900"C:\Users\admin\AppData\Local\Temp\5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
294
Read events
294
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
38125aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exeC:\Users\admin\AppData\Local\Temp\resharpenbinary
MD5:9E8E6E8BF8B55809DDF551D1D16480E7
SHA256:15BFA8A34C8A324382A03B8C6B46DED860B2DBE912483C31FDFE59837998662B
38125aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exeC:\Users\admin\AppData\Local\Temp\aut72F1.tmpbinary
MD5:9E8E6E8BF8B55809DDF551D1D16480E7
SHA256:15BFA8A34C8A324382A03B8C6B46DED860B2DBE912483C31FDFE59837998662B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3040
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2212
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2212
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4952
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3040
svchost.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.123.104.34:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3040
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2212
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3040
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
900
RegSvcs.exe
163.5.32.40:7702
FR
unknown
3040
svchost.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3040
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.63:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.34
  • 92.123.104.63
  • 92.123.104.62
  • 92.123.104.38
  • 92.123.104.32
  • 92.123.104.31
  • 92.123.104.33
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.195
  • 23.48.23.182
  • 23.48.23.184
  • 23.48.23.186
  • 23.48.23.140
  • 23.48.23.144
  • 23.48.23.191
  • 23.48.23.188
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 2.23.246.101
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info