{
	"id": "0a0bf560-bc99-4681-b99b-3615a6e42dec",
	"created_at": "2026-04-06T00:11:58.462299Z",
	"updated_at": "2026-04-10T03:21:46.823646Z",
	"deleted_at": null,
	"sha1_hash": "a692ac275da022f1fcda8524e934d3fdc5814303",
	"title": "Technical Analysis of PureCrypter | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1767381,
	"plain_text": "Technical Analysis of PureCrypter | Zscaler Blog\r\nBy Romain Dumont\r\nPublished: 2022-06-13 · Archived: 2026-04-05 18:18:04 UTC\r\nKey points\r\nPureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and\r\nobfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s\r\nProtocol Buffer message format  \r\nSummary\r\nPureCrypter is actively being developed by a threat actor using the moniker “PureCoder”. The malware has been sold and\r\nadvertised since at least March 2021 according to the author’s website https://purecoder.sellix.io/. At the time of publication,\r\nPureCrypter is for sale with a cost of $59. Figure 1 shows PureCrypter’s website with a malware builder that provides a\r\nnumber of options including the following:\r\nFake messages (e.g. fake error message to show to the user)\r\nBinder (additional file to be written to disk)\r\nInjection types (method to load the final stage)\r\nPersistence (startup)\r\nOptional features (mainly defense mechanisms)\r\nFigure 1. Example screenshot of the PureCrypter website\r\nAt the top of the builder, a tab bar indicates the presence of additional tools (e.g., Office macro builder and Downloader).\r\nThese tools are  likely used for the initial infection vector.\r\nPureCrypter has been growing in popularity with a number of information stealers and remote access trojans (RATs) being\r\ndeployed by it. ThreatLabz has observed PureCrypter being used to distribute the following malware families:\r\nAgentTesla\r\nArkei\r\nAsyncRAT\r\nAzorult\r\nDcRAT\r\nLokiBotStealer\r\nNanocore\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 1 of 13\n\nRedLineStealer\r\nRemcos\r\nSnakeKeylogger\r\nWarzoneRAT\r\nOverview of an infection process\r\nThe sample with the SHA256 hash 4a88f9feaed04917f369fe5089f5c09f791bf1214673f6313196188e98093d74 was\r\nanalyzed for this blog. This sample is an image (.img) file containing a fake .bat file named 63342221.BAT. However, this\r\nfirst-stage is in fact a simple .NET downloader that will execute a second-stage payload in memory. This first-stage\r\ndownloader is likely part of the PureCrypter package. The downloaded second-stage  is the main PureCrypter payload,\r\nwhich will decrypt various resources and parse an internal configuration file that determines the malware’s settings.Finally,\r\nPureCrypter will inject the final malware payload inside another process. In this sample, PureCrypter injects a\r\nSnakeKeylogger sample inside the process MSBuild.exe. The process for each of these PureCrypter stages is described in\r\ndetail below.\r\nFirst-stage Downloader\r\nPureCrypter’s first-stage is a simple downloader. In this example, the downloader was disguised as a fake date console\r\napplication. The main function for this application is shown below in Figure 2.\r\nFigure 2. PureCrypter downloader main function\r\nThe application secretly downloads a .NET assembly from a command and control server in order to bypass security\r\nproducts. The bytes of the assembly are completely reversed and this same  technique is used across PureCrypter’s different\r\nstages. The second-stage filename typically has a fake extension such as “jpg”, “png” or “log” and/or a legitimate-looking\r\nfilename (e.g., “EpicGames.jpg”). The sample analyzed by ThreatLabz downloaded the second-stage from\r\nhttp://gbtak[.]ir/wp-content/Ygjklu.log (the SHA256 was\r\n7bd6a945f1de0e390d2669c027549b49107bf116f8b064bf86b5e897794f46f9 after the bytes were reversed) as shown in\r\nFigure 3.\r\nFigure 3. PureCrypter downloader code to retrieve the second-stage payload\r\nThe first-stage then loads the assembly, retrieves the hardcoded name of a method to call and invokes it.\r\nSecond-stage Injector\r\nThe second-stage payload is a more sophisticated piece of code and the core component of PureCrypter. On top of that, the\r\n.NET assembly is obfuscated with the commercial tool SmartAssembly. \r\nResources and Assemblies Obfuscation\r\nAs part of the SmartAssembly’s obfuscation, the module entrypoint first adds an assembly and a resource resolver. An extra\r\nassembly resolver is added to handle compressed and/or encrypted data. Basically, when an assembly is referenced the\r\nresolver will capture that event and try to load the assembly from its resources. The requested assembly name is checked\r\nagainst a list of hardcoded assembly tokens or names (Figure 4).\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 2 of 13\n\nFigure 4. PureCrypter’s obfuscation assembly resolver callback\r\nThere are also some additional headers present including a hardcoded array shown in Figure 5. \r\nFigure 5. Hardcoded array of assembly information\r\nThe array includes flags that determine how the second-stage payload is stored and whether it should be written to disk.\r\nThese flags have the following meaning:\r\n \r\nFlag value Description\r\nz indicates the assembly is compressed and/or encrypted\r\nt indicates the assembly should be written to the disk\r\nIn the case of the “z” flag, PureCrypter checks if the resource string contains the header “{z}” as described here. The\r\nfollowing byte describes how the data is stored as shown below: \r\n \r\nFlag value Description\r\n3 the assembly is encrypted with AES-CBC\r\n1 the assembly is compressed with Zlib\r\nThe sample analyzed by ThreatLabz had the AES key 2F820378FEEFBD90987D05D28F0FF0FE and initialization vector\r\n(IV) 742CA81F5AC2028E04861092F9F72ECB.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 3 of 13\n\nThis second-stage PureCrypter sample analyzed by ThreatLabz contained 2 resources: a SnakeKeylogger variant (the bytes\r\nwere reversed and gzip compressed) and a resource-only .NET library that contains the following two compressed (raw\r\ninflate) libraries:\r\nCostura library to embed references as resources\r\nProtobuf library for object deserialization\r\nIn this case, SmartAssembly uses two levels of resource resolvers.\r\nPureCrypter Features\r\nThe main function of the PureCrypter injector starts by reversing, decompressing (gunzip) and deserializing an object into\r\nthe following protocol buffer (protobuf) structure in Figure 6. \r\nFigure 6. PureCrypter protobuf structure\r\nThe protobuf structure is largely self-explanatory with respect to the capabilities of the PureCrypter injector. Table 1 shows a\r\nsummary of the most relevant fields.\r\n \r\nMember(s) name Functionality\r\nIsDelay, Delay Wait for the given amount of seconds before running the malware\r\nIsFakeMessage,\r\nFakeMessageType,\r\nFakeMessageText\r\nDisplay a message to the user\r\nIsExclusion\r\nRun a Base64 encoded powershell command:\r\n“Set-MpPreference -ExclusionPath”\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 4 of 13\n\nIsMutex, MutexString Create a global mutex\r\nIsAnti\r\nSelf-deletion via the powershell command:\r\n‘Start-Sleep -s 10; Remove-Item -Path “‘ + FILEPATH + ‘\" -Force’\r\nIsDiscord, DiscordWebHookUrl Send an infection status message on Discord (detailed below)\r\nBinderSettings*\r\nIf enabled, decompress (gzip) and drop the content of a ByteArray into\r\n%TEMP%\\FileName, create the file aw4t2cuogdm.vbs and execute it via\r\nWScript.Shell\r\nStartupSettings* Install the malware persistence (detailed below)\r\nCommandLine, Is64bit,\r\nEnumInjection, InjectionPath\r\nRun the associated malware via one of the injection methods (detailed below)\r\nTable 1. PureCrypter main features\r\nSome options provided in the protobuf structure such as Payload and IsMelt are unreferenced.\r\nNew PureCrypter Features\r\nThe serialized protobuf object has been updated in more recent samples and contains a few more options as described in\r\nTable 2.\r\nMember(s) name Functionality\r\nExclusionRegionNames Compare the result of kernel32!GetGeoInfo with a list of regions\r\nMemoryBombing\r\nAllocate large memory regions between 400000000 and 500000000 bytes via\r\nAllocateHGlobal\r\nCrypterKiller Removes itself from the system and terminate its process\r\nIsAntiDelete Opens itself in read mode and duplicates the handle to “explorer.exe”\r\nTelegramToken,\r\nTelegramID\r\nLike the Discord webhook, the malware can send an infection status via Telegram\r\nTable 2. New PureCrypter features\r\nDiscord Webhook and Telegram\r\nThe author of PureCrypter provided an option to send an infection status message on a Discord channel. Using the the\r\nDiscordWebHookUrl parameter, the malware can send the following dictionary in Table 3 via the WebClient:UploadValues\r\nmethod over TLS 1.2.\r\n \r\nName Value\r\nusername “PureCrypter”\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 5 of 13\n\ncontent\r\n“\\r\\n:loudspeaker: *NEW EXECUTION*\\r\\n:one: **User** =” + USERNAME +\r\n\"\\r\\n:two: **Date UTC** = \" + datetime.get_now +\r\n“\\r\\n:three: **File** = “ + FILENAME + “\\r\\n”\r\n        Table 3. PureCrypter UploadValues parameters used by the Discord webhook\r\nNew variants of the malware can send a similar message to the author via Telegram. The URL is constructed as follows:\r\nhttps://api.telegram.org/bot + protobuf_configuration.TelegramToken + /sendMessage?chat_id= +\r\nprotobuf_configuration.TelegramID.\r\nThe message is sent via WebClient:DownloadString over TLS 1.2.\r\nPersistence\r\nGiven the StartupSettings members, the PureCrypter injector can achieve persistence using different methods as shown in\r\nTable 4. Firstly, it takes the Location member as a parameter to the Environment.GetFolderPath method. In this case, it\r\nretrieves the %APPDATA% folder and appends the value of the FileName member to it. The EnumStartup field indicates\r\nhow to install the malware on the system (for the sake of simplicity, FILENAME is used as a place-holder for the malware\r\ninstallation path).\r\nStartup\r\nenumeration\r\nRegistry key Value name Value data\r\n1 HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run FILENAME Full path of FILENAME\r\n2 HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon Shell explorer,”FILENAME,”\r\n3\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell\r\nFolders\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\r\nShell Folders\r\nStartup\r\n \r\nStartup\r\nFILENAME\r\n%USERPROFILE%\\AppData\\Roami\r\nMenu\\Programs\\ + directory of FILEN\r\nTable 4. PureCrypter registry persistence\r\nTable 5 shows examples of different fake file names and directories used by PureCrypter.\r\n \r\nFilename\r\nsvchosts.exe\r\npep\\portexpert_1_8_3_22_en.exe\r\nLibCADPortable_2_1_4.exe\r\nDemo\\adudiodg.exe\r\nCCleanerProfessional\\CCleanerrofessional.exe\r\nfirefox\\firefox.exe\r\nGoogle\\chrome.exe\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 6 of 13\n\nTaskmgr.exe\r\ntasks\\updete.exe\r\nMicrosoft\\DirectX.exe\r\nACDSee Gemstone Photo\\ACDSeeemstonePhoto.exe\r\nSystemNetwork\\OpticChecker.exe\r\nPlayerFab 7\\PlayerFab7.exe\r\nTable 5. Interesting file names used by PureCrypter for persistence\r\nInjection Methods\r\nThe PureCrypter developer provides three different ways to run the associated malware, which is given by the\r\nEnumInjection member. However, all of them retrieve the embedded malicious payload by decompressing and reversing one\r\nof the resources mentioned earlier.\r\nProcess Hollowing\r\nThe process hollowing technique is pretty classic and comes in 32 and 64-bit flavors (shown in Figure 7). PureCrypter starts\r\nby creating a suspended process via CreateProcessA(). The command-line argument is built by concatenating the result of\r\nGetRuntimeDirectory(), the InjectionPath and an “.exe” extension. If the CommandLine struct member is set, then it is also\r\nconcatenated. The remote process memory is unmapped via ZwUnmapViewOfSection() and the associated malware is\r\nwritten to the process memory and executed.\r\nFigure 7. Code snippet of the PureCrypter process hollowing technique\r\nWhat’s interesting about that technique is the choice of the author to put some junk code in the middle of it (as shown in\r\nFigure 8). The code was likely inserted to avoid being detected by a behavioral analysis engine. Here, the Internet Explorer\r\nmain window is retrieved along with its coordinates, but that information is never subsequently used.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 7 of 13\n\nFigure 8. Junk code added by PureCrypter\r\nShellcode\r\nThe injector can also run the embedded resource inside its own process by creating a shellcode (Figure 9).\r\nFigure 9. PureCrypter CreateShellcode function\r\nFigure 10 shows the disassembly of the shellcode.\r\nFigure 10. Disassembled x86-64 PureCrypter shellcode\r\nAssembly Loading\r\nThe last way the PureCrypter injector can run its payload is by loading the resource as an assembly and invoking its\r\nentrypoint (as shown in Figure 11).\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 8 of 13\n\nFigure 11. PureCrypter Assembly loading\r\nExtra Anti-* functionalities\r\nSome methods that don’t seem to be referenced, but still are quite interesting in terms of environment detection are the\r\nfollowing: \r\nQueries the WMI object Win32_BIOS for the computer’s SerialNumber and Version and checks if it matches the\r\nregular expression “VMware|VIRTUAL|A M I|Xen”\r\nQueries the WMI object Win32_ComputerSystem for the computer’s Manufacturer and Model and checks if it\r\nmatches the regular expression “Microsoft|VMWare|Virtual”\r\nCalls CheckRemoteDebuggerPresent\r\nChecks for the presence of “SbieDLL.dll” module\r\nChecks specific resolutions of the display monitor\r\nInjected code\r\nThe sample analyzed delivers a SnakeKeylogger variant. This malware family is just one of many payloads observed by\r\nThreatLabz that is injected via a process hollowing technique. This family is already well-documented and its configuration\r\ncan easily be extracted. Figure 12 shows the extracted SnakeKeylogger configuration from this sample.\r\nFigure 12. SnakeKeylogger extracted configuration for a sample dropped by PureCrypter\r\nConclusion\r\nPureCrypter is a fully-functional loader that works as advertised. The usage of Google’s protobuf format makes it more\r\nmalleable and the use of reversed, compressed and encrypted payloads can make it more difficult for static antivirus engines\r\nto detect. ThreatLabz research shows that many different customers are making use of this loader to deliver RATs and\r\ninformation stealers. \r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 9 of 13\n\nZscaler's multilayered cloud security platform detects indicators at various levels, as shown below:\r\nWin32.Downloader.PureCrypter\r\nIndicators of Compromise\r\nIoC Type Value\r\nURL http://amcomri.upro[.]site/.tmb/ID44/313606953372.jpg\r\nURL https://cdn.discordapp[.]com/attachments/933024359981932666/934953013670449253/Koieiminr.jpg\r\nURL http://amcomri.upro[.]site/.tmb/ID44/Ffobs.png\r\nURL https://cdn.discordapp[.]com/attachments/911013699026825266/935017324182913104/EpicGames.jpg\r\nURL http://gbtak[.]ir/wp-content/846569297734.jpg\r\nURL https://cdn.discordapp[.]com/attachments/765212138226450455/934977016292327455/Installer2.log\r\nURL https://cdn.discordapp[.]com/attachments/934261104564113441/934945441370497054/FlareTopia_V5.1.log\r\nURL https://cdn.discordapp[.]com/attachments/934261104564113441/935058809200730142/new.log\r\nURL https://transfer[.]sh/get/3tWVO9/Evbccj.png\r\nURL http://gbtak[.]ir/wp-content/759279720662.jpg\r\nURL http://sub.areal-parfumi[.]si/kk/Lnnuda.log\r\nURL http://sub.areal-parfumi[.]si/new/Ofwcwpm.jpg\r\nURL http://gbtak[.]ir/wp-content/078571269562.jpg\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 10 of 13\n\nURL https://cdn.discordapp[.]com/attachments/846778795524751371/935185760783585360/Pmvzeaoj.log\r\nURL https://cdn.discordapp[.]com/attachments/933024359981932666/935065418803056680/Lkrbylqxx.png\r\nURL http://taskmgrdev[.]com/e/Jymuty.png\r\nIMG hash 4a88f9feaed04917f369fe5089f5c09f791bf1214673f6313196188e98093d74\r\nPureCrypter\r\nhash\r\n7bd6a945f1de0e390d2669c027549b49107bf116f8b064bf86b5e897794f46f9\r\nSnakeKeylogger\r\nhash\r\na6d53346613f2af382cd90163a9604d63f8d89a951896fc40eed00a116aa55c3\r\nAdditional PureCrypter hashes\r\n \r\nIoC type Value\r\nPureCrypter hash 00d164491e2ebd3ecbf428ccc6625b2451d32bb4ed4d22049b5f0e1c122642a5\r\nPureCrypter hash 0659b547c308665c4599418f4a7265755c79bdd5a6e737bd291d66c4ad88f2ea\r\nPureCrypter hash 07120e2a381420c90943182bbb78da10c900745fd3e07822059a99f22e2f5a85\r\nPureCrypter hash 08d491afea27ac3f1a1b0a4b754f06ffe3a83972a20f0409f589d4b19b1f51ad\r\nPureCrypter hash 0c035bd927e7519cfea7974a443b11e750a4bb51595c9095c794ad55f0e7d9f1\r\nPureCrypter hash 1d154a37cd713680bf7fb3d6ecac3873e948d8aa6a92d8c2b9303fe288528054\r\nPureCrypter hash 30687a7d72f92d66043b33d98517334eaeebf8469100e6e9d9082a97225f0215\r\nPureCrypter hash 3b11dd66f52b105532b4418c04422ee744696efe30d9cf18bd8240139b86a18b\r\nPureCrypter hash 40be095c396242bea434840750a4043e27da991fd780d1226037810c6a7ad949\r\nPureCrypter hash 450f553ff2e0e7b730c13b75f39d6bdd0f3f0fcd979cfd4430c10e8236149079\r\nPureCrypter hash 4c8393e08ba5affa9d4f6ef36b4f3c1b0e73bdaaf59541349ddd94c3877e4fb2\r\nPureCrypter hash 52498a9de400dcbaa336e304271c8ca079b3a00fd4f7d67ccae4bafc69b7ebc9\r\nPureCrypter hash 5a91202740fab8894bd2ba9e79e957304cc0bace988998a6fbb34318bb6744a9\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 11 of 13\n\nPureCrypter hash 5deb27582ddb47ac79f37f723c6172f13fd1c69b3b0292b6978ed43123118238\r\nPureCrypter hash 678376204602f3d60d11725b0f62d125caa65b22200ec282e0806e055a9b59ea\r\nPureCrypter hash 69c357afce6d9ddf6bebb7322af353ece5f01ad775faea701064ecb59399f6f8\r\nPureCrypter hash 69e332b84a605ec3bb9b58916dfc67bdb1395bca9a652a39714fb5601c13bcdf\r\nPureCrypter hash 6f70d347d0153e37d8b5ef466c3c4d6780f6250e4e41936573b9e4108dc42a60\r\nPureCrypter hash 71a9f780abf4872731f0e1e7a0719fc21488725dbfa190c7ae13172f59106aea\r\nPureCrypter hash 725dfb6090108ef9901be83fecd7ee079ac4ffc8ccb362285d3788122ceee58a\r\nPureCrypter hash 745075ea76634c1909474337c7c24b9f9d6c6289f3d35c432aa77d1d0a3bbd17\r\nPureCrypter hash 78103356b72241c4b2b68f11fd7b7292944280e10c6efca14109e8184b6f18c2\r\nPureCrypter hash 7d1506ab28acec00f168c655da7d21174700e7d7dea0d4e7cb7d8e3a25253a20\r\nPureCrypter hash 8078d4866aeec4d686472aaacc455cad0a1f620c464b649ae919eeae0f097a76\r\nPureCrypter hash 8b32e5df0928da99bb6307484132eca333fa29f675345360d8c804e3a18ddd51\r\nPureCrypter hash 8b6406fb599f15d6d94d449caa513ce9b1a5681de6240d2f55c853e7f30ef802\r\nPureCrypter hash 8b885551aaad4fb74e075580835bf272376436943592a544ce24947a63a07f62\r\nPureCrypter hash 8dfd54f13fc0f6febb428ad4dd189f9d40872115ec5dfa70f70c273be3489584\r\nPureCrypter hash 8e3d4f4738f398addc67a971d66ef7a5a0be2d24ec59d79b50d598b6df1c39d1\r\nPureCrypter hash 8f2716758099b8bf59a43f1e34fe20598d51aa042bf2015cc52cdc55faf110de\r\nPureCrypter hash 96c32299a5c63608a5418430180f7118e3f82417eee2d1738d8c0f4d07382f9e\r\nPureCrypter hash 96e4b8b7196804e992b3a12d52844867f91964a128e373d0b71af87abb408d82\r\nPureCrypter hash 9bed965557631646dc5f0bf1126a9da3bf9c8c8e92e792055f981668e06c3708\r\nPureCrypter hash a3fa1fd36486728735dd1946526ab48cafedd9176764f85b3dca02d8c5f7b3bd\r\nPureCrypter hash a63168f6690cd9ae0c77a1c01e6f6d693da2a3d9f2a7288d47c0db8e4c042347\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 12 of 13\n\nPureCrypter hash aee87ee6207539196716997496f14e6ff4a33604408611df6057bde786f45fdc\r\nPureCrypter hash b290b60e510ea74f8c683c57ddec45f56356ea36e056a96034b2ba515e76d61e\r\nPureCrypter hash b9cd62e549467fa12ab1f195c9460e2b1c0ca05a0939072146c40eeb36e34ec3\r\nPureCrypter hash c401070db22f1fa3a5dc170b4b60920c8dde1d1bd7f0404952c13e897f07b820\r\nPureCrypter hash c6f6c51de7437d1312c78ca6cc511e07d4aa13ae0b9fb05c735bf04c83eb4b1f\r\nPureCrypter hash c8672708df9df29cef7092a6e1e20c112d03630363bf5a80778106dcb25aaffb\r\nPureCrypter hash cd8578553ef4853054ed23c5cce70b8a8f78138d0c23fd969eb240036345030a\r\nPureCrypter hash cea55ce28fa1949eb61a44e80e9758370c67783c63cba032da15f51c29bc31a3\r\nPureCrypter hash d40bceefde84d018fcc575a3ed3a87d8721a713d0413108c20747eb8fabc1d86\r\nPureCrypter hash d503906c0873631d49914f3c71e21f102df39c895bd6101f7334627e9262d4fc\r\nPureCrypter hash d5d476c8d3613145884eccaabf17a058308fa2029cb388d29c971be5826b48e9\r\nPureCrypter hash d962ac30bd2a16396601e5c02e23b6b901504e4eaa05c1aa2ce66c3926785a33\r\nPureCrypter hash dda2b1156be2f78cda149b124772972feb283e76d2d620d45b9bf4e2962e1830\r\nPureCrypter hash dde2af3c5a56b4bc9d47487fe9bfe17d1fc75cc031f3e47cfc66ba00b02e52c7\r\nPureCrypter hash ed24de04666163d504c0dc88de0ff0912b829260bf35a3c03be2c733ce723856\r\nPureCrypter hash ef92e694882eac465c9b2e89213bfa2925b8598bfae484d20899175aadf1b546\r\nPureCrypter hash f5f09eeaeb6f67631d2624badd1dec21fac53807881c3062f7a49694393ff622\r\nPureCrypter hash fc07d910aec28017f591aa64ad296af8e949fd54f8099fa3c24bb80dedee4fe8\r\nPureCrypter hash fe58ae232f7ea569b42d7bb1883f70911ca89900c9783252e965f77e617c508d\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter"
	],
	"report_names": [
		"technical-analysis-purecrypter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a692ac275da022f1fcda8524e934d3fdc5814303.pdf",
		"text": "https://archive.orkl.eu/a692ac275da022f1fcda8524e934d3fdc5814303.txt",
		"img": "https://archive.orkl.eu/a692ac275da022f1fcda8524e934d3fdc5814303.jpg"
	}
}