{
	"id": "07224703-56b5-4a02-9a99-f9edd9d353f4",
	"created_at": "2026-04-06T00:18:30.268634Z",
	"updated_at": "2026-04-10T13:11:33.354749Z",
	"deleted_at": null,
	"sha1_hash": "37e6f1babc0a386cd908cde5d4f9d06a4bf494fc",
	"title": "PureCrypter is busy pumping out various malicious malware families",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2937158,
	"plain_text": "PureCrypter is busy pumping out various malicious malware\r\nfamilies\r\nBy wanghao\r\nPublished: 2022-08-29 · Archived: 2026-04-05 20:06:25 UTC\r\nIn our daily botnet analysis work, it is common to encounter various loaders.Compared to other types of malware,\r\nloaders are unique in that they are mainly used to \"promote\", i.e., download and run other malware on the infected\r\nmachine. According to our observations, most loaders are proprietary and have a binding relationship with the\r\nfamily they are promoting. A few loader families make themselves into promotion platforms that can spread any\r\nother malware family, achieving the so-called malware-as-a-service (MaaS). Compared with proprietary loaders,\r\nMaaS types are obviously more dangerous and should be our primary target of concern.\r\nThis article introduces a MaaS type loader we saw a while ago, named PureCrypter, which is very active this year,\r\npromoting more than 10 other families and using hundreds of C2s. Zscaler has done a detailed sample analysis,\r\nthis blog mainly introduces the PureCrypter propagation activity we saw from the perspective of C2s and\r\npropagation chains to explore the operation of the MaaS type botnet.\r\nThe main points of this paper are as follows.\r\nPureCrypter is a loader written in C# that has been around since at least 2021 and can propagate any other\r\nfamily.\r\nPureCrypter continues to be active this year and has propagated more than 10 other malware families\r\nincluding Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and others.\r\nPureCrypter authors appears to be resourceful, as we have seen hundreds of C2 domains and IPs.\r\nPureCrypter use image name suffixes combined with inversion, compression and encryption to avoid\r\ndetection.\r\nPureCrypter has a long propagation chain, and most of them use pre-protectors, some times mixed with\r\nother loaders, making detection more difficult.\r\nIn general, the spread of PureCrypter can be summarized in the following figure.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 1 of 17\n\nNow let’s look at the samples and some typical propagation cases below.\r\nSample analysis\r\nPureCrypter uses the package mechanism, which consists of two executables: downloader and injector, both\r\nwritten in C#, where downloader is responsible for propagating the injector, which releases and runs the final\r\npayload.\r\nIn practice, the attacker generates downloader and injector through builder, and then will try to propagate\r\ndownloader, which will download and execute injector on the target machine, and then injector will do the rest of\r\nthe work. In terms of code logic, the downloader module is relatively simple, with a low level of binary\r\nobfuscation and no complex operations such as environment detection and persistence, while injector uses\r\ncommon tricks and techniques seen in popular loaders, such as binary obfuscation, runtime environment detection,\r\nstarting puppet processes, etc. The following is a brief introduction to downloader and injector combined with\r\nactual examples.\r\ndownloader module\r\nThis module directly calls WebClient's DownloadData method for HTTP downloads, without setting any HTTP\r\nheaders.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 2 of 17\n\nThe following is an example of downloading a sample variant with inverted processing, from the parsing code you\r\ncan see that the HTTP payload is inverted.\r\nThe inverted PE Header can be found at the end.\r\nFinally, the recovered data (.DLL file) is loaded by Assembly.Load, and the entry method of plaintext encoding is\r\ncalled to proceed to the next stage.\r\nPureCrypter is relatively simple to protect the injector download, so far, in addition to the above mentioned\r\ninverted (reverse) encoding, there are also gzip compression, symmetric encryption, etc. This encoding is fixed,\r\nthat is, the builder has already determined the encoding method when generating the modules of downloader and\r\ninjector.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 3 of 17\n\nThe following is an example of using gzip compression and then transferring the injector, and the magic header of\r\ngzip can be found at the beginning: 1F 8B 08 00 .\r\nWe have also come across examples where AES encryption is used.\r\nIn addition to AES, PureCrypter also supports DES, RC4 and other encryption algorithms.\r\ninjector module\r\nIf you analyze the injector samples restored by downloader, you will find that the latter are heavily obfuscated.\r\nHere is an example of an injector obfuscated by SmartAssembly and partially encrypted with resources.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 4 of 17\n\nAs shown in the figure above, first the relevant configuration information can be got from the combo of Reverse +\r\nGZip + Protubuf.Deserialize; then the runtime environment is checked to fight against sandboxing, with mutexes\r\ncreation and persistence being done based on the configuration; and finally the payload is read from the resource\r\nsection for loading. The sample does not enter any if statement, and soon reaches the last important function,\r\nwhich mainly implements the final payload injection. 4 injection methods are supported. While which one to use\r\ndepends on the configuration, Process Hollowing is the most frequently used one.\r\nThe final payload is stored in the resource.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 5 of 17\n\nAfter reversing and gzip decompression, a puppet process is created to start the final payload.\r\nThe final payload promoted above is AgentTesla, whose configuration information is as follows.\r\nhost: raphaellasia.com\r\nport:587\r\nusername: origin@raphaellasia.com\r\npwd: student@1980\r\nto: origin2022@raphaellasia.com\r\nAccidental discovery\r\nPureCrypter likes to disguise the injector as an image for downloading, the image name is relatively random and\r\nhas obvious machine generated features. Here are some of the actual detected image names.\r\n# pattern 1\r\n/dl/0414/net_Gzhsuovx.bmp\r\n/dl/0528/mars2_Hvvpvuns.bmp\r\n/dl/0528/az_Tsrqixjf.bmp\r\n# pattern 2\r\n/040722/azne_Bvaquebo.bmp\r\n/04122022/net_Ygikzmai.bmp\r\n/04122022/azne_Jzoappuq.bmp\r\n/04122022/pm_Dxjlqugu.bmp\r\n/03252022/azne_Rmpsyfmd.bmp\r\n# pattern 3\r\n/Rrgbu_Xruauocq.png\r\n/Gepstl_Mouktkmu.bmp\r\n/Zhyor_Uavuxobp.png\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 6 of 17\n\n/Xgjbdziy_Kglkvdfb.png\r\n/Ankwgqtwf_Bdevsqnz.bmp\r\n/Osgyjgne_Ymgrebdt.png\r\n/Rrgbu_Xruauocq.png\r\n/Gepstl_Mouktkmu.bmp\r\n/Osgyjgne_Ymgrebdt.png\r\n/Osgyjgne_Ymgrebdt.png\r\n/Zhyor_Uavuxobp.png\r\nAfter analyzing several samples, we found that there is a correspondence between the requested image name and\r\nthe downloader's AssmblyName.\r\nPictureName AssmblyName\r\nBelcuesth_Ipdtbadv.png Belcuesth\r\nKzzlcne_Prgftuxn.png Kzzlcne\r\nnewminer2_Jrltkmeh.jpg newminer2\r\nBelcuesth_Ipdtbadv.png Belcuesth\r\nNykymad_Bnhmcpqo.bmp Nykymad\r\nmy_ori_Ywenb_Yzueqpjp.bmp my ori Ywenb\r\nand the content after the underscore always matches the regular expression\r\n[A-Z][a-zA-Z]{7}\r\nC2 and propagation analysis\r\nPureCrypter has been active this year, and we have detected more than 200 C2 domains and IPs, and more than 10\r\npropagated families. In the cases we have seen, the propagation chain is generally long, and the downloader\r\nmodule of PureCrypter is often used in conjunction with various other types of predecessor downloaders. Because\r\nthere are too many C2s, here is an introduction to 185.215.113.89 as an example in terms of scale and\r\npropagation methods.\r\nC2 analysis\r\nThis C2 is more active than others among the C2s we detected, and its active time is from mid-April to early June\r\nthis year, as shown in the figure below.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 7 of 17\n\nIts activity level can be reflected visually by our graph system.\r\nIt can be seen that it is associated with more domains and IPs, and the following is part of the IP's domain name\r\nresolution during this period.\r\n2022-04-14 22:47:34 2022-07-05 00:42:16 22 rockrock.ug A 185.215.113.89\r\n2022-04-21 08:22:03 2022-06-13 09:17:50 15 marnersstyler.ug A 185.215.113.89\r\n2022-04-17 03:17:41 2022-06-10 04:31:27 2538 qwertzx.ru A 185.215.113.89\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 8 of 17\n\n2022-04-24 02:16:46 2022-06-09 00:11:24 3 hubvera.ac.ug A 185.215.113.89\r\n2022-04-15 23:47:43 2022-06-08 19:24:59 43 timekeeper.ug A 185.215.113.89\r\n2022-04-15 11:34:35 2022-06-08 19:24:59 35 boundertime.ru A 185.215.113.89\r\n2022-04-14 23:01:50 2022-06-08 15:33:25 24 timebound.ug A 185.215.113.89\r\n2022-04-15 21:58:54 2022-06-08 05:43:21 7 www.rockrock.ug A 185.215.113.89\r\n2022-04-16 20:50:41 2022-06-08 01:44:01 54 beachwood.ug A 185.215.113.89\r\n2022-04-23 16:23:41 2022-06-07 18:30:51 5 asdsadasrdc.ug A 185.215.113.89\r\n2022-05-02 22:35:40 2022-06-07 04:34:12 17 leatherlites.ug A 185.215.113.89\r\n2022-05-29 17:46:00 2022-06-07 03:50:36 3 underdohg.ac.ug A 185.215.113.89\r\n2022-04-15 22:34:53 2022-06-07 03:33:10 18 rockphil.ac.ug A 185.215.113.89\r\n2022-04-15 03:09:13 2022-06-07 03:19:50 14 pdshcjvnv.ug A 185.215.113.89\r\n2022-04-15 03:04:12 2022-06-07 03:12:04 16 mistitis.ug A 185.215.113.89\r\n2022-04-16 03:08:46 2022-06-07 03:08:48 18 nicoslag.ru A 185.215.113.89\r\n2022-04-19 02:33:31 2022-06-07 02:37:08 16 danwisha.ac.ug A 185.215.113.89\r\n2022-05-28 23:56:02 2022-06-05 05:14:50 7 underdohg.ug A 185.215.113.89\r\n2022-05-10 14:44:28 2022-06-02 17:40:12 24 jonescourtney.ac.ug A 185.215.113.89\r\n2022-06-02 07:44:25 2022-06-02 07:44:25 1 triathlethe.ug A 185.215.113.89\r\n2022-04-24 03:05:38 2022-06-01 16:54:59 2191 qwertasd.ru A 185.215.113.89\r\n2022-04-17 09:34:27 2022-06-01 01:42:07 2 partaususd.ru A 185.215.113.89\r\n2022-04-25 00:08:53 2022-05-31 07:17:00 5 timecheck.ug A 185.215.113.89\r\n2022-04-21 02:36:41 2022-05-31 01:20:37 21 courtneyjones.ac.ug A 185.215.113.89\r\n2022-04-16 19:09:02 2022-05-31 01:02:02 14 marksidfgs.ug A 185.215.113.89\r\n2022-04-25 03:01:15 2022-05-30 03:04:29 10 mofdold.ug A 185.215.113.89\r\n2022-04-15 02:36:21 2022-05-30 02:32:53 17 check-time.ru A 185.215.113.89\r\n2022-04-18 02:21:26 2022-05-30 02:22:30 17 agenttt.ac.ug A 185.215.113.89\r\n2022-04-17 03:17:46 2022-05-29 03:17:26 15 qd34g34ewdfsf23.ru A 185.215.113.89\r\n2022-04-19 02:25:06 2022-05-29 02:22:57 14 andres.ug A 185.215.113.89\r\n2022-04-16 02:27:44 2022-05-29 02:22:47 16 asdasgs.ug A 185.215.113.89\r\nFrom the visits in column 3, differences in the number of visits to these domains can be found, with overall visits\r\nin the thousands, and this is only one of the many C2s we see.\r\nThrough correlation analysis, we found that 185.215.113.89 is often used in conjunction with two C2s,\r\n62.204.41.69 (March) and 45.143.201.4 (June), and their relationship can be correlated using the chart below.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 9 of 17\n\nPropagation analysis\r\nPureCrypter uses the dual module mechanism of downloader+injector, the former is disseminated and then the\r\nlatter is disseminated, which is equivalent to adding a link to the dissemination chain, plus the author's usual\r\nmeans to hide the objector by means of fake image, encoding transmission, etc., which is complicated enough in\r\nitself.\r\nThe author also put a lot of effort in the downloader propagation piece, we see the way through the bat2exe\r\nbundled crack software, the use of VBS and powershell script loader, combined with Godzilla front loader and\r\nmany other ways, the result of these operations superimposed is the spread chain is generally deeper and more\r\ncomplex. In May we even found cases of spreading Raccoon through PureCrypter, which further spread Azorult,\r\nRemcos, PureMiner, and PureClipper.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 10 of 17\n\nHere are a few typical propagation techniques.\r\n1, \"Bat2Exe+Powershell+VBS+Meteorite+PureCrypter\" spreading Mars Stealer\r\nThis is mainly seen in some cracking software, downloader module is bundled to the former for propagation with\r\nBat2Exe. The actual payload files stored in the resource are released to the tmp directory and triggered by the\r\nstart.bat. The files released in the tmp directory are shaped as follows.\r\nThe start.bat command takes the shape of：\r\nIn the case we analyzed, the .lnk file is used to start the powershell to execute the malicious command.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 11 of 17\n\nPowershell decodes a base64-encoded VBS loader.\r\nThe VBS loader further releases a downloader and runs the latter via shellcode. The key information of this\r\ndownloader is stored in the resource, including the process name and download url, as shown in the image below.\r\nThe downloader is named Meteorite according to the process name after running, and the url in the above figure\r\ncorresponds to the downloader module of PureCrypter, and the complete communication process is as follows.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 12 of 17\n\nThe final payload is Mars Stealer, c2: rockrock.ug/gggate.php , with the following configuration information:\r\n2, \"VBS/Powershell + PureCrypter\" propagating PureMiner\r\nThe C2 involved is 89.34.27.167 . The entry can be either a VBS script or a Powershell script, here is an\r\nexample of VBS script.\r\nThe network communication traffic is as follows.\r\nPowershell script is as follows.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 13 of 17\n\nThe Powershell script downloads and runs the downloader module of PureCrypter, which proceeds to download\r\nthe injector, here it is more specific to use Discord to distribute the injector:\r\nThe final payload is PureMiner and C2 is as follows:\r\n185.157.160.214\r\npwn.oracleservice.top\r\npwn.letmaker.top\r\nport: 8080, 8444\r\n3, \"unknown .NET downloader + PureCrypter\" to spread AgentTesla, RedLine\r\nThe downloader family is unknown, and its runtime is also divided into multiple stages, where the stage0 module\r\nis responsible for loading the stage1 malicious module in the resource.\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 14 of 17\n\nThe stage1 module will continue to load the next stage module stage2 after running.\r\nstage2 module is also a Crypter (not yet named), different from PureCrypter, he also provides a download\r\nfunction, used to download the malicious PureCrypter downloader module, that is, the figure of puty.exe.\r\nThe malware can be decrypted from the resource with the key bnvFGkCKlnhQ using the following algorithm.\r\nTwo families of binaries are spread. Stage2's payload is AgentTesla with C2:\r\nhttps[:]//api.telegram.org/bot5421147975:AAGrsGnLOHZfFv7yHuj3hZdQSOVmPodIAVI/sendDocument\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 15 of 17\n\nPureCrypter's payload is RedLine with C2:\r\nIP: workstation2022.ddns.net:62099\r\nID: cheat\r\nSummary\r\nPureCrypter is a MaaS type botnet that is still active and has spread more than 10 other families of payloads, with\r\ngenerally complex spreading practices. There might be a fairly big and resourceful team behind it, so it won’t\r\nsurprised us if they continuously add and spread other malicious families in the future. We will keep an eye on it\r\nand share more information when it is needed.\r\nReaders are always welcomed to reach us on twitter or email us to netlab[at]360.cn.\r\nIoCs\r\nMD5\r\nFamily Name MD5\r\nBat2Exe Downloader 424ed5bcaae063a7724c49cdd93138f5\r\nVBS downloader 3f20e08daaf34b563227c797b4574743\r\nPowershell downloader c4c5167dec23b6dd2d565cd091a279e4\r\nUnknown .NET Downloader 9b70a337824bac612946da1432295e9c\r\nC2 \u0026URL\r\nagenttt.ac.ug\r\nandres.ug\r\nasdasgs.ug\r\nasdsadasrdc.ug\r\nbeachwood.ug\r\nboundertime.ru\r\ncheck-time.ru\r\ncourtneyjones.ac.ug\r\ndanwisha.ac.ug\r\nhopeforhealth.com.ph\r\nhubvera.ac.ug\r\njonescourtney.ac.ug\r\nleatherlites.ug\r\nmarksidfgs.ug\r\nmarnersstyler.ug\r\nmistitis.ug\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 16 of 17\n\nmofdold.ug\r\nmomomolastik.ug\r\nnicoslag.ru\r\npartaususd.ru\r\npdshcjvnv.ug\r\nqd34g34ewdfsf23.ru\r\nqwertasd.ru\r\nqwertzx.ru\r\nraphaellasia.com\r\nrockphil.ac.ug\r\nrockrock.ug\r\ntimebound.ug\r\ntimebounder.ru\r\ntimecheck.ug\r\ntimekeeper.ug\r\ntriathlethe.ug\r\nunderdohg.ac.ug\r\nunderdohg.ug\r\nwww.rockrock.ug\r\n212.192.246.195\r\n37.0.11.164:8080\r\n80.66.75.123\r\n89.34.27.167\r\n91.243.44.142\r\n185.215.113.89\r\n62.204.41.69\r\n45.143.201.4\r\nhttps://cdn.discordapp.com/attachments/994652587494232125/1004377750762704896/ps1-6_Hjuvcier.png\r\nSource: https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nhttps://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/"
	],
	"report_names": [
		"purecrypter-is-busy-pumping-out-various-malicious-malware-families"
	],
	"threat_actors": [],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37e6f1babc0a386cd908cde5d4f9d06a4bf494fc.pdf",
		"text": "https://archive.orkl.eu/37e6f1babc0a386cd908cde5d4f9d06a4bf494fc.txt",
		"img": "https://archive.orkl.eu/37e6f1babc0a386cd908cde5d4f9d06a4bf494fc.jpg"
	}
}