Table of Contents
  • Home
  • /
  • Blog
  • /
  • What is PureCrypter Malware? How Does PureCrypter Malware Work?
March 7, 2024

What is PureCrypter Malware? How Does PureCrypter Malware Work?

What Is Purecrypter Malware And How Does Purecrypter Malware Work

Multiple government organizations are getting targeted by PureCrypter malware downloader, which further downloads ransomware and info stealers and collects sensitive information from organizations. Researchers have observed a large threat campaign distributed via Discord.

We will discuss in detail what is PureCrypter Malware and how does PureCrypter Malware work in this post.

What is PureCrypter Malware? How Does PureCrypter Malware Work?

PureCrypter malware has been around since 2021 and has been developed using the moniker PureCoder. It provides multiple features, including persistence, fake messaging, injection types, etc.

PureCrypter campaigns use compromised websites of the non-profitable organization to deliver the secondary payload by making it a command-and-control center. The PureCrypter Malware campaign deploys several types of malware, including AgentTesla, Redline Stealer, Arkei, Eternity, Blackmoon, AsyncRAT, etc.

The attack chains are as follows:

Infection Chain, Credits: Minlo

As per the investigation done by Minlo researchers, it was observed Agent Tesla established an FTP connection where the stolen victim credentials were stored. Agent tesla is a very famous .NET malware that has been used in the wild for more than 8 years. This secondary malware is found as a password-protected file in a compromised non-profit website whose credentials were found online.

These similar secondary malware files were also observed in phishing emails as well. The FTP server was also found to be a part of a campaign involving One note.

Technical Details

In the recent campaign, the payload was hosted in the Discord app, and a URL pointing to a password-protected ZIP archive containing a PureCrypter sample was sent via email.

Steps taken by the attacker to deliver the payload are:

  1. The Discord App URL pointing to the payload was sent via email.

  2. The ZIP file contains a .net loader that carries the PureCrypter sample.

  3. The loader downloads the secondary payload from a compromised website.

  4. The secondary payload observed by the researchers in this scenario was Agent Tesla which was communicating to an FTP server hosted in Pakistan.

  5. The downloaded binary has the capacity to evade initial detection using encryption using the DES algorithm.

  6. Agent tesla uses the technique of process hollowing to inject the payload into cvtres.exe. Process hollowing is a method of executing arbitrary code in the address space of a separate live process [MITRE]

  7. Agent Tesla will encrypt the config file using the XOR algorithm. When the file was decrypted, it was observed that the CnC details of the FTP server where the compromised victim data is stored.

Please read the comprehensive technical details here.

MITRE ATT&CK Identifier

Here you see the MITRE ATT&CK identifiers:

  • T1021.005 (VNC)

  • T1027 (Obfuscated Files or Information)

  • T1036.005 (Match Legitimate Name or Location)

  • T1055.001 (Dynamic-link Library Injection)

  • T1056.004 (Credential API Hooking)

  • T1083 (File and Directory Discovery)

  • T1105 (Ingress Tool Transfer)

  • T1119 (Automated Collection)

  • T1137.001 (Office Template Macros)

  • T1140 (Deobfuscate/Decode Files or Information)

  • T1204.002 (Malicious File)

  • T1547.001 (Registry Run Keys / Startup Folder)

  • T1555.003 (Credentials from Web Browsers)

  • T1566 (Phishing)

  • T1566.001 (Spearphishing Attachment)

  • T1566.002 (Spearphishing Link)



  • ftp://ftp[.]mgcpakistan[.]com/

  • Username: ddd@mgcpakistan[.]com




  • be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d

  • 5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99


  • a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e

  • 5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d

  • f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad

  • 397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3

  • 7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8

  • efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf

  • C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331

Imphash shared by 106 FTP files:

  • F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)

  • 61259b55b8912888e90f516ca08dc514 (10 files)


Attackers are creative enough to bring new technology and methods to exploit and collect sensitive information. Still, the initial access into a network is done by the same old methods as malicious mail or malicious URL. In the end, it is all about the use of being aware of all these potential threats and acting accordingly.

I hope this article gave you more insight into what is PureCrypter Malware and How does PureCrypter Malware work. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription