#PureCrypter_290124

1. #IOC #OptiData #VR #PureCrypter #ZGRat #PureLog #Stealer #MassLogger #RAR #EXE
2.  
3. https://pastebin.com/CaYPSqnB
4.  
5. previous_contact:
6. 18/08/20 https://pastebin.com/4uXgesYV
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
10. https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger
11.  
12.  
13. attack_vector
14. --------------
15. email attach .gz (RAR) > .exe > get .dat > C2
16.  
17. # # # # # # # #
18. email_headers
19. # # # # # # # #
20. Date: 29 Jan 2024 03:15:03 +0100
21. Subject: ref_swift_a2390e
22. From: Madalin Ceausescu <madalin@infosuyunrnedical_com>
23. Received: from mail.infosuyunrnedical_com ([104_168_173_98])
24. Received: from [172_93_160_112] (unknown [172_93_160_112])
25. Message-ID: <20240129031503.2B85E10C1C4D420D@infosuyunrnedical_com>
26.  
27. # # # # # # # #
28. files
29. # # # # # # # #
30. SHA-256 4a639abd12bfb6f6d66d9d3dd3ec4034f34e05dd91d0c5e9f9ae99ce0b97cf51
31. File name CopyofSwift_41AUD_....gz [RAR archive data, v5]
32. File size 69.85 KB (71527 bytes)
33.  
34. SHA-256 3522c4380138f81dce5085c66b158b6069238c6737ece7be4b433c29fcfcc39b
35. File name CopyofSwift.exe [Microsoft Visual C++ vx.x DLL] !PureCrypter
36. File size 198.16 KB (202912 bytes)
37.  
38. SHA-256 79bba6492afd8013bf0e6c2671215f0710abb72a63796a4eb817ec0afa04cf56
39. File name Raliycrvk.dat [data, HomeLab/BraiLab Tape image] !MassLogger
40. File size 1.35 MB (1418752 bytes)
41.  
42. SHA-256 5f0e72e1839db4aa41f560e0a68c7a95c9e1656bc2f4f4ff64803655d02e5272
43. File name sqlite.interop.dll [Win32 DLL] !SQLite3
44. File size 1.75 MB (1830064 bytes)
45.  
46. # # # # # # # #
47. activity
48. # # # # # # # #
49.  
50. PL_SCR sata-alloy_com / puzzle / Raliycrvk.dat
51.  
52. C2 94_156_66_79 : 6734
53.  
54. netwrk
55. --------------
56. 162_0_211_204 sata-alloy_com 80 HTTP GET / puzzle / Raliycrvk.dat HTTP/1.1
57. 94_156_66_79 6734 TCP 49242 → 6734 [SYN]
58.  
59. comp
60. --------------
61. CopyofSwift.exe 2664 TCP 162_0_211_204 80 ESTABLISHED
62. CopyofSwift.exe 2664 TCP 94_156_66_79 6734 ESTABLISHED
63.  
64. proc
65. --------------
66. C:\Users\operator\Desktop\CopyofSwift.exe
67. C:\Users\operator\Desktop\CopyofSwift.exe
68.  
69. persist
70. --------------
71. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 29.01.2024 10:25
72. TRichViewDelphi.vbs
73. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\trichviewdelphi.vbs
74.  
75. drop
76. --------------
77. C:\Users\operator\AppData\Roaming\TRichViewDelphi.exe
78. %temp%Fzvibvnol.tmp
79. %temp%Mwhmpjhm.tmp
80. %temp%Costura\1485B29524EF63EB83DF771D39CCA767\64\sqlite.interop.dll
81. %temp%Crziehgh\axdea46y.default\logins.json
82. %temp%Crziehgh\axdea46y.default\key3.db
83.  
84. # # # # # # # #
85. additional info
86. # # # # # # # #
87. exe description: TRichView VCL Trial for Delphi Setup
88. company: Sergei Vladimirovich Tkachenko IP
89.  
90. # # # # # # # #
91. VT & Intezer
92. # # # # # # # #
93. https://www.virustotal.com/gui/file/4a639abd12bfb6f6d66d9d3dd3ec4034f34e05dd91d0c5e9f9ae99ce0b97cf51/details
94. https://www.virustotal.com/gui/file/3522c4380138f81dce5085c66b158b6069238c6737ece7be4b433c29fcfcc39b/details
95. https://analyze.intezer.com/analyses/328c90c4-1a33-4f21-93e7-ce2e772e5fc5
96. https://www.virustotal.com/gui/file/79bba6492afd8013bf0e6c2671215f0710abb72a63796a4eb817ec0afa04cf56/details
97. https://www.virustotal.com/gui/file/5f0e72e1839db4aa41f560e0a68c7a95c9e1656bc2f4f4ff64803655d02e5272/details
98.  
99. VR