In this example, the downloader was disguised as a fake date console application. PureCrypter’s first-stage is a simple downloader. The process for each of these PureCrypter stages is described in detail below. In this sample, PureCrypter injects a SnakeKeylogger sample inside the process MSBuild.exe. The downloaded second-stage is the main PureCrypter payload, which will decrypt various resources and parse an internal configuration file that determines the malware’s settings.Finally, PureCrypter will inject the final malware payload inside another process. This first-stage downloader is likely part of the PureCrypter package. NET downloader that will execute a second-stage payload in memory. However, this first-stage is in fact a simple. This sample is an image (.img) file containing a fake. ThreatLabz has observed PureCrypter being used to distribute the following malware families: PureCrypter has been growing in popularity with a number of information stealers and remote access trojans (RATs) being deployed by it. These tools are likely used for the initial infection vector. Example screenshot of the PureCrypter websiteĪt the top of the builder, a tab bar indicates the presence of additional tools (e.g., Office macro builder and Downloader).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |