{
	"id": "4edeb69e-9054-4c6f-a534-a2efe10e2b8a",
	"created_at": "2026-04-06T00:14:51.450087Z",
	"updated_at": "2026-04-10T03:21:40.735744Z",
	"deleted_at": null,
	"sha1_hash": "de7480b3eeb7e4c7bb37a7765f5881d6c0e89b0d",
	"title": "A Full Analysis of the Pure Malware Family: Unique and Growing Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128056,
	"plain_text": "A Full Analysis of the Pure Malware Family: Unique and Growing\r\nThreat\r\nBy khr0x and Jane\r\nPublished: 2024-01-16 · Archived: 2026-04-05 22:30:36 UTC\r\nIn this article, we’re analyzing one of the most unusual crypters— PureCrypter, and a multifunctional stealer — PureLogs.\r\nWe’ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect\r\nPureCrypter and PureLogs. \r\nWhy did we decide to undertake this analysis? \r\nWhile analyzing Public Submissions, we came across several interesting samples. We were intrigued by unusual traffic that\r\nshowed signs of encryption operations on executable files with short keys, as well as TCP connections with high entropy in\r\nthe connections. \r\nInside, all samples looked different from other malware and were very similar to each other. Through network analysis, we\r\nfound a couple of articles dedicated to PureCrypter and the family, which shed light on this group, but we wanted to add our\r\ninsights and combine all the information in one place. \r\nOur objectives were: \r\nStudy the distribution system \r\nInvestigate the distinctive features of PureCrypter and PureLogs \r\nDevelop detection methods for PureCrypter and PureLogs \r\nExamine the traffic \r\nThe distribution of PureCoder products began in March 2021, according to information provided by the developer on the the\r\nmalware’s old website.\r\nInformation about the service on the old website\r\nOn the main page of Pure’s current website, there is a message stating that the software is used for educational and\r\npenetration testing purposes. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 1 of 29\n\nThe website lies about educational and pentesting nature of the software\r\nHowever, it’s worth noting that we observe a trend where the code sold is actually being used for malicious purposes. Here\r\nare examples on services that tell us about the distribution of these products along with other malware: \r\nANY.RUN Submissions (PureCrypter, PureLogs) \r\nAbuse.ch Bazaar \r\nTelegram update\r\nPure’s update notes tell us that since March 2023, it is also sold through a Telegram bot. Telegram bots make purchasing\r\nmalware more automated and anonymous. Bot usage shows that the author is developing the service, exploring new\r\nchannels, and scaling up. \r\nHere are all the products that this group distributes under the guise of “educational purposes”: \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 2 of 29\n\nPure products\r\nDespite the claim that these products are distributed for educational purposes, the presence of silent miners, botnets, and\r\nhidden HVNC seems odd. \r\nComments and ratings on Pure’s website reveal high demand — every month there are at least couple of purchases. \r\nComments and reviews on Pure’s website\r\nWe attempted to follow the purchase flow and found that users are to make a cryptocurrency payment In Bitcoin. The\r\npayment page offers several Bitcoin wallets. These wallets are likely part of a Bitcoin mixer. The activity in these wallets\r\nstarted between May 19-26, 2023, and as of the writing of this article, one of them already had 250 transactions\r\namounting to $32,000 (see it on Blockhain.com).\r\nDetails about the Cryptocurrency wallet\r\nSo far, we’ve established that there is a wide range of Pure malware, it is popular, and it has existed for several years. Now,\r\nlet’s move on to the technical analysis of the Pure family.\r\nStaged and Stage-less loader \r\nThe deployment of products from the Pure family usually begins with a loader that includes both Staged and Stage-less\r\npayloads. Let’s analyze the behavior using PureCrypter as an example.\r\nWhat is PureCrypter? \r\nPureCrypter is a crypter (or obfuscator), as its name suggests, that has a set of algorithms for data obfuscation and\r\nencryption. In combination, they hide malware from antivirus programs and also make it difficult to analyze for analysts.\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 3 of 29\n\nBehaviour flow of PureCrypter\r\nAs seen in the diagram above, the loader has two stages: Staged and Stage-less payload. The decrypted resources contain\r\nlibraries such as Protobuf-net and Costura. Using Protobuf-net, data are deserialized, forming a configuration with the\r\ncompressed malware. Ultimately, after decompression, the malware is launched with parameters from the configuration in a\r\nnew process. \r\nLet’s examine each variant separately. \r\nStaged Loader\r\nSHA256\r\n3ACD90196DCF53DD6E265DC9C89B3CB0C47648A3B7AC8F226C6B4B98F39F2FC8 \r\nView the task\r\nThe static analysis of the sample under examination reveals that it’s written in .NET:\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 4 of 29\n\nInformation from DIE \r\nAfter analyzing the sample in the ANY.RUN sandbox, we determined that a file with an .mp4 extension is downloaded: \r\nPayload download\r\nAdditionally, we found examples downloading payloads with extensions like .vdf, .mp3, etc. This is another characteristic\r\nof the loader — to download files with legitimate extensions. \r\nIn the image above, the downloaded file is not an actual .mp4 file, but an encrypted payload. It’s challenging to determine\r\nthe encryption method right away, so we will analyze its internals. \r\nCode analysis in DnSpy allowed us to establish that the downloaded payload is encrypted with an XOR operation, with a\r\nkey length of 3 bytes. You can see the overall scheme of payload downloading and decryption below: \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 5 of 29\n\nSource code\r\nTo decrypt the file, we will use our CyberChef recipe.\r\nXOR with the key ”335” in Cyberchef\r\nAs evident from the screenshot above, the downloaded and decrypted file is an executable or a library. \r\nAdditionally, this type of encryption is not the only possible method and can be substituted with reverse encryption and\r\nothers. \r\nNow, let’s move on to the analysis of the stage-less loader. \r\nStage-less Loader \r\nSHA256\r\n5030BC30C14139D9C48DC4CD175DE6C966E83A9059035D18AF33DDA06F2541AB\r\nView the task\r\nUnlike the Staged payload, the examined Stage-less payload is protected by SmartAssembly, which you can see in DIE:\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 6 of 29\n\nInformation from DIE\r\nIn the stage-less loader, the payload is stored in a resource in an encrypted form:\r\nResource on board\r\nFirst, the resource is decrypted using AES with embedded keys (KEY: dd2e7fe3fd9cb1b2f91a16460c8acb5b and IV:\r\n80f3f9712e01f98fab92ab84ec40a8e5) and then decompressed:\r\nRijndael Algorithm\r\nWe will use a CyberChef recipe for decryption. \r\nCyberchef – AES+decompress\r\nAs a result, we get a .NET Assembly without executable code but with an encrypted resource, which is also decrypted and\r\nloaded into modules: \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 7 of 29\n\nNchya resource\r\nThe decryption of the second resource is done using 3DES with the key KEY “68433890991609093ead30a9d75c39db” and\r\nIV “4A64DD85048433D7” (CBC model). \r\nLet’s use a CyberChef recipe to decrypt this resource:\r\nCyberchef – TripleDES\r\nAfter decryption, we obtain an executable file or library, similar to the case with the Staged Loader. \r\nNow, let’s move on to the analysis of the obtained files. \r\nPureCrypter \r\nComparing the entry points of Staged and stage-less PureCrypter, we see that they are identical. From this, we can\r\nconclude that they are essentially the same. \r\nHere’s EntryPoint of PureCrypter:\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 8 of 29\n\nEntryPoint of PureCrypter\r\nPureCrypter can carry two types of payloads – 3rd party malware or its own proprietary product, PureLogs. Let’s examine\r\neach option separately. \r\n3rd party malware (AgentTesla) \r\nThe program begins decrypting and loading the .NET Assembly resource, similar to the stage-less process. This happens in\r\nan identical manner – using AES (Rijndael) encryption. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 9 of 29\n\nResource decryption with AES (Rijndael)\r\nWe can use this CyberChef recipe for decryption. \r\nCyberChef AES+inflate\r\nAfter decrypting with the AES algorithm, the program takes this resource and proceeds to the second stage of its decryption. \r\nThe first action the program performs is parsing the data of the header. The first 30 bytes are the length of the data, and the\r\nnext 10 bytes are the XOR key: \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 10 of 29\n\nThe header\r\nFrom the header, a license and key are obtained. The data can be decrypted using this CyberChef recipe. A similar string was\r\nalready seen in ZGRat.\r\nXOR\r\nAfter calculating the data, the program selects a method of decryption. In our case, it is AES. \r\nEncryption selection\r\nIn AES, IV is used, which is the XOR key 7C685406ED380C74532A9488BA58083D, and the KEY is the last 32 bytes in\r\nthe decrypted header b2912dfe705af74a11e7d2bf3786103116adee71727185419bf7c4d7f986bd4c. \r\nWe can decrypt the data using a CyberChef recipe. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 11 of 29\n\nAs a result of the decryption, we obtain a .NET Assembly with a set of resources and encrypted strings before the MZ\r\nheader. \r\nResources after decryption\r\nThe header looks as follows:  \r\n4 bytes at the beginning and end (for calculation purposes) \r\n1 byte for the message size highlighted in red \r\nAnd the message itself afterwards.\r\nThe header\r\nThe messages can be decrypted using the following CyberChef recipe: \r\nEncoding and XOR\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 12 of 29\n\nThe resource zJSLu is decrypted in the same way — using AES and decompression. It contains strings that will be used later\r\n(if the flag is set in the configuration).\r\nThe zJSLu resource, once decrypted (subject to serialization)\r\nThe malware uses protobuf for deserializing data, which is taken from the Issal resource after prior decompression.\r\nDeserialization\r\nAt this point, having decrypted all the resources, we arrive at the program’s main function. But before starting the analysis\r\nof the main function, let’s take a look at what the PureCrypter builder interface looks like:\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 13 of 29\n\nPureCrypter builder\r\nFrom the screenshot, we can see a large set of functions, including anti-debugging, anti-deletion, and others. Let’s go\r\nthrough the main code and see what techniques are used in this version of the crypter. \r\nCode with configuration analysis and checks.\r\nIn the version under study, the check for the presence of a virtual machine is disabled, but the functionality is present in the\r\ncode of the program. It includes: \r\nCheckRemoteDebuggerPresent to find a debugger; \r\nChecks for the presence of the Sandboxie virtual environment by searching for the loaded library sbiedll.dll; \r\nExecutes a WMI query “select * from Win32_BIOS” to check the BIOS version; \r\nExecutes a WMI query “select * from Win32_ComputerSystem” and looks for one of the substrings\r\n“Microsoft|VMWare|Virtual” in the results; \r\nChecks the width and height of the monitor screen, which should be more than 1024 and 768 pixels, respectively; \r\nChecks whether the program is running on a 64-bit OS, as most modern operating systems are 64-bit; \r\nCompares the current username with one from a list. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 14 of 29\n\nOther capabilities include: \r\n1. A feature to reset the network interface by executing the command “cmd /c ipconfig /release,” presumably to prevent\r\nsecurity tools or antivirus software from communicating with their servers. In the sample analyzed, this feature is disabled. \r\n2. Ability to use a mutex to prevent the launch of a duplicate copy. In this instance, the mutex is named “Gjrstoo,” but this\r\noption is not active. \r\n3. A function to check if it is running with administrator privileges and to restart with the necessary permissions if needed.\r\nMoreover, the malware uses the command “set-mppreference -exclusionpath ” to add the entire “C:” drive to the antivirus\r\nexclusions. This function is also disabled. \r\n4. A delay execution feature, where the delay occurs N times for 1 second each. \r\n5. Capability to execute an arbitrary PowerShell command passed in Base64 via the “-enc” parameter. This function is also\r\ndisabled. \r\n6. Displaying a fake error message, but this feature is also turned off. \r\n7. Ability to establish persistence in the system through Run registry keys or the Startup directory. \r\nThe purpose of using “ipconfig /renew” is unclear, but the functionality exists (it allows the release of all dynamic IP\r\naddresses assigned to the computer using a DHCP server). \r\nSubsequently, the payload is loaded, which can be downloaded from the internet (as indicated by the HTTP Client), or from\r\na resource (as in our example).\r\nInjection options\r\n1. Ordinary library loading  \r\n2. Decryption of the resource followed by loading \r\n3. Unclear — possibly, decryption is executed here. \r\nSubsequently, the malware reverses bytes and is decompressed using the same GZIP, the recipe for which can be found here.\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 15 of 29\n\nCyberchef – Gunzip\r\nAfter decompression, PureCrypter creates a new process: \r\nAnd injects code into this process. \r\nThis is how malware is commonly distributed, often including stealers and RATs. Now let’s move on to analyzing PureLogs,\r\nwhich can distribute PureCrypter. \r\nPureLogs Loader \r\nPureLogs  malware is typically distributed by a loader covered by the NET Reactor protector. PureLogs is a small library\r\nthat is involved in data theft. Usually, the library is loaded by the loader from a C2 server. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 16 of 29\n\nAnalysis of the loading traffic revealed that in the first connection an encrypted message is sent, and an encrypted response\r\nis received. All of this occurs within the loader. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 17 of 29\n\nFirst connection in the loader\r\nBoth messages within the first connection are encrypted in the same way, but the response has an additional layer of\r\nserialization and undergoes re-encryption with byte reversal. \r\nFirst, the data is compressed and then encrypted using 3DES with a key (which is stored in the loader’s resources, along\r\nwith the IP data and client ID). However, the key itself is encrypted using md5Crypto, resulting in the hash\r\n‘9F4D71CF2393253FB5324C6731B962F8’. \r\nAfter encryption, the program sends this message to the server. The process begins with sending 4 bytes indicating the size\r\nof the message, followed by the message itself. \r\nA complete decryption is presented here:\r\nDecryption key\r\nNow let’s consider the received message. After decryption, the data undergoes deserialization and is then re-encrypted again\r\n(3DES+GZIP), similar to the initial process. However, at the end, a Reverse bytes operation is applied. \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 18 of 29\n\nTripleDES+GZIP (you can immediately remove the first 4 bytes of length or use DROP)\r\nAfter deserialization: TripleDES+GZIP+Reverse\r\nAs a result, we obtain our library, which is responsible for stealing data and then sending it onward. Let’s take a closer look\r\nat it. \r\nPureLogs\r\nPureLogs is a multi-functional stealer. Like PureCrypter, PureLogs has obfuscation and obfuscation methods that\r\ncomplicate its analysis. But what’s really interesting is its network traffic, which we will discuss in this section. \r\nLike other samples of the Pure family, PureLogs is sometimes confused with ZGRat — we are going to clear up this\r\nmisunderstanding in this article. \r\nLet’s get to the analysis. \r\nLooking at the class library, we immediately see a class called PlgCore (We assume this stands for PureLogsCore).\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 19 of 29\n\nClassLibrary1\r\nSerialized data enters the library as an argument from a resource, which the loader has loaded from the C2 server. \r\nConfiguration data\r\nInside, they are deserialized and stored as configuration.\r\nConfiguration\r\nNext, the library iterates through a vast number of functions and collects data from the system: \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 20 of 29\n\nBrowser data, including extensions \r\nData about Crypto Wallets \r\nComplete information about the user \r\nFull information about the PC configuration \r\nBelow is an example of some of the system data. \r\nSystem data \r\nNext, all the collected data is serialized. Following the same principle, the data is encrypted before transmission:\r\ncompression and 3DES encryption using a pre-existing key. Now, all the data ready for transmission is transformed, and the\r\nfinal connection is made to send the gathered data.\r\nData transmission (first 4 bytes indicate size, followed by the message)\r\nThen, there are three transmissions: the first and last are hashes of the data, and the second one contains the actual data. \r\nTo decrypt the traffic, we can use this CyberChef recipe. \r\nDecryption of the first message (the last one is identical)\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 21 of 29\n\nDecryption of the data\r\nAnd with this, we have dissected the traffic and the operation of PureLogs. Now, let’s consider another malware variant\r\nfrom the Pure family — a miner. \r\nPureMiner \r\nWhile examining samples on other services with detections for PureLogs and PureCrypter, we came across several\r\nsamples that didn’t appear to be like either but exhibited a strikingly similar signature. \r\nFirstly, the traffic they generated followed an identical pattern (first 4 bytes for length, followed by the remaining bytes\r\nfor data). What’s even more intriguing is that they were encrypted in the same fashion (using 3DES encryption with a key\r\nthat was similarly encrypted through MD5Crypto). \r\nSecondly, there were similarities in code behavior and module loading, such as the use of the proto-buf module for\r\nprocessing configuration data. \r\nThirdly, the code structure and its resemblance to PureCrypter and PureLogs code were notable. \r\nLastly, the configurations showed similarities in their structure. \r\nThe diagram below shows this resemblance to PureLogs. It involves the transmission and reception of data from the C2\r\nserver (with the data being encrypted using 3DES).\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 22 of 29\n\nBased on all of this information, we have decided to conduct an investigation into the discovered sample:\r\nSHA256\r\nA20F2623022BC0D5BDC49B235736CC791A3392198D7A601B2478C1974D5D9F17\r\nView the task\r\nThe first thing we noticed during our analysis was the sample’s behavior when executed with administrative privileges (we\r\nwill see why we executed the sample with admin privileges later on). \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 23 of 29\n\nThe process of restarting using cmd\r\nAfter the restart, the program creates a scheduled task in Task Scheduler to launch its copy at\r\n%APPDATA%/HResult/TypeId.exe. Following this, there is an injection into a new legitimate process.\r\nThe process is launched under Task Scheduler\r\nAfter analyzing the behavior, we proceeded with an in-depth analysis of the sample. We discovered its configuration, which\r\nutilizes proto-buf. \r\nConfiguration\r\nAdditionally, there is an executable file that appears to be responsible for executing commands from the C2 server. In the\r\nstrings, there is a mention of the XMRIG miner. We suspect that this is a distributor of the miner, which runs it quietly.\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 24 of 29\n\nStrings from the miner\r\nWe decided to decrypt the traffic to understand what information is being transmitted and what we receive in response. We\r\nmanaged to obtain the decryption key. It was no surprise that the traffic was encrypted using the same 3DES encryption, and\r\nthe first 4 bytes represent the length, which we remove: \r\nDecrypted traffic\r\nThe decryption recipe is available here. And here’s the link to a server response.  \r\nResponse from the server\r\nAnd with this, we have found another malware from the Pure family — a miner. PureMiner collects information about the\r\nsystem and sends it to C2. After this, it receives a response with mining instructions.\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 25 of 29\n\nLet’s wrap up the analysis \r\nTo summarize — this was one of the most comprehensive investigations we’ve done so far in ANY.RUN. We analyzed a\r\nwidely popular and rapidly spreading malware family — Pure — and even uncovered a new variant — a miner. \r\nPure tools masquerade as legitimate software created for “educational purposes”. But analysis of the code clearly shows that\r\nit is a powerful malicious tool. Recently, the creators began distributing it through a telegram bot, which indicates that they\r\nare scaling an operation. Currently, Pure receives at least a couple of orders every month, but it’s highly likely that its\r\npopularity will start skyrocketing in the near future. \r\nWe hope that this analysis helped you better understand how to reverse and detect malware from the Pure family, so if that\r\nhappens, you’ll be well prepared. \r\nIf you have any information to add about Pure — we’d love to hear it. Let’s discuss in the comments below. And as always,\r\nmake sure to share your thoughts about the article.\r\nAbout ANY.RUN\r\nANY.RUN is an interactive malware analysis sandbox that streamlines the work of SOC and DFIR teams. Our service is\r\ntrusted by 300,000 professionals worldwide who use it to investigate both emerging and persistent threats.      \r\nRequest a free trial of ANY.RUN for 14 days to explore all the features we offer.     \r\nRequest demo → \r\nMITRE ATT\u0026CK Matrix\r\nTactics  Techniques  Description \r\nDefense Evasion \r\nT1140 - Deobfuscate/Decode Files or\r\nInformation \r\nDeobfuscate/Decode resourses and files \r\nDiscovery \r\nT1082 - System Information Discovery \r\nPure-malware discovery system\r\ninformation \r\nT1083 - File and Directory Discovery  PureLogs discoveries files for stealing \r\nCollection \r\nT1119 - Automated Collection  Collect information \r\nT1005 - Data from Local System  Search local system sources for stealing \r\nCommand and\r\nControl \r\nT1071.001 - Application Layer Protocol:Web\r\nProtocols \r\nConnection and delivery \r\nIOCs\r\nPureCrypter\r\nFIle\r\n0f60f086665fd4d442821851c878c21b \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 26 of 29\n\nMD5  0f60f086665fd4d442821851c878c21b \r\nSHA256  3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8 \r\nSHA1  a4d4f31fb794bbf59be542f493aea9f9e3857d4 \r\nDropped file \r\nPath  C:\\Users\\admin\\AppData\\Roaming\\ydVSL\\ydVSL.exe  \r\nSHA256  3acd90196dcf53dd6e265dc9c89b3cb0c47648a3b7ac8f226c6b4b98f39f2fc8 \r\nConnections \r\n5[.]181.80.126 \r\nURLs\r\nHttp[x]://5.181.80.126/Hjysa.mp4 \r\nFIle\r\nQUOTATION_NOVQTRFA00541·PDF.scr \r\nFIle\r\n0f60f086665fd4d442821851c878c21b\r\nMD5  83999a2ce0109ea4adbecb3a96744e8c \r\nSHA256  5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab \r\nSHA1  4b94f4b23b157c7ae2df54e251cd4d22c683134d \r\nDomain \r\ngator3220.hostgator[.]com \r\nPureLogs \r\nFIle\r\nRH2023-17.exe \r\nMD5  a7c14a39a5ee93ca25ab793be06c1478 \r\nSHA256  e5b27dc1672088a5a584467511a02844d45f4eb6af92a96373c803fd3dc5e6b7 \r\nSHA1  c9eb61977fa0fd1bf1c9e7175a0088289e6b9bbd \r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 27 of 29\n\nDropped file\r\nPath  C:\\Users\\admin\\AppData\\Roaming\\Xokmrjn.exe  \r\nSHA256  e5b27dc1672088a5a584467511a02844d45f4eb6af92a96373c803fd3dc5e6b7 \r\nPath  C:\\Users\\admin\\AppData\\Local\\Temp\\Costura\\1485B29524EF63EB83DF771D39CCA767\\64\\sqlite.interop.dll  \r\nSHA256  5f0e72e1839db4aa41f560e0a68c7a95c9e1656bc2f4f4ff64803655d02e5272 \r\nConnections \r\n91[.]92.120.119 \r\nDomain \r\nTeleturismo[.]it \r\nPureMiner \r\nFIle\r\n491310d10c0ea2d217c90a2403c20bea \r\nMD5  491310d10c0ea2d217c90a2403c20bea \r\nSHA256  a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17 \r\nSHA1  5bd371ae2edc0c2cf926e1543e4cdd7d92c83577 \r\nDropped file\r\nPath  C:\\Users\\admin\\AppData\\Roaming\\HResult\\TypeId.exe  \r\nSHA256  a20f2623022bc0d5bdc49b235736cc791a3392198d7a601b2478c1974d5d9f17 \r\nConnections \r\n91[.]92.240.95 \r\nDomain \r\nFarmjo[.]mine.nu \r\nMore Submissions \r\nhttps://app.any.run/tasks/f972efd3-c053-42c2-a2d4-eade0f40acfb/\r\nhttps://app.any.run/tasks/c4344ee1-bcd6-438f-9aba-f13c1c3dcca9/\r\nhttps://app.any.run/tasks/629232cd-67e4-4f3b-880d-34c3675931a0/\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 28 of 29\n\nhttps://app.any.run/tasks/50294ac2-f3c1-43bd-9bec-0527fb1b8443/\r\nANY.RUN malware analyst\r\nkhr0x\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my\r\ncomputer. In my spare time I do sports and play video games.\r\nANY.RUN writer and network traffic analyst\r\nJane\r\nI'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do\r\ngood and throw it into the sea.\r\nkhr0x\r\nkhr0x\r\nMalware analyst at ANY.RUN\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my\r\ncomputer. In my spare time I do sports and play video games.\r\njane\r\nJane\r\nLeading network traffic analysis expert at ANY.RUN\r\nI'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do\r\ngood and throw it into the sea.\r\nSource: https://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nhttps://any.run/cybersecurity-blog/pure-malware-family-analysis/\r\nPage 29 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/pure-malware-family-analysis/"
	],
	"report_names": [
		"pure-malware-family-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de7480b3eeb7e4c7bb37a7765f5881d6c0e89b0d.pdf",
		"text": "https://archive.orkl.eu/de7480b3eeb7e4c7bb37a7765f5881d6c0e89b0d.txt",
		"img": "https://archive.orkl.eu/de7480b3eeb7e4c7bb37a7765f5881d6c0e89b0d.jpg"
	}
}