Blog

Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One

BY eSentire Threat Response Unit (TRU)

May 8, 2025 | 13 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Key takeaways:

  • Pure Crypter is a sophisticated malware-as-a-service (MaaS) loader that's being widely used by threat actors and is distributed through an automated Telegram channel.
  • The malware employs multiple evasion techniques including AMSI bypass, DLL unhooking, anti-VM detection, anti-debugging measures, and recently added capabilities to bypass Windows 11 24H2 security features through NtManageHotPatch API patching.
  • The developers use deceptive marketing tactics by promoting "Fully UnDetected" (FUD) status based on avcheck[.]net results, while VirusTotal shows detection by multiple AV/EDR solutions, revealing significant discrepancies in detection rates.
  • eSentire developed an automation tool called PureCrypterPunisher that helps security researchers automate the unpacking process, extract malware configurations, and decrypt embedded strings from Pure Crypter samples for better analysis and detection capabilities.

What did we find?

Throughout 2024 and 2025, eSentire's Threat Response Unit (TRU) has conducted extensive surveillance of Pure Crypter, a malware-as-a-service (MaaS) loader that has emerged as the preferred choice for diverse threat actors targeting Windows-based systems.

The loader has been particularly prevalent in deploying information stealers such as Lumma and Rhadamanthys, primarily utilizing the ClickFix initial access vector. With the release of Windows 11 24H2, Microsoft attempted to crack down on malware loaders by preventing Process Hollowing based injection.

However, Pure Crypter's developers, along with other malware authors, found an elementary bypass by simply patching the NtManageHotPatch API in memory.

The widespread adoption of Pure Crypter across multiple industries signifies its strategic importance in the current threat landscape. In response, this technical analysis serves two primary objectives:

  1. Provides a comprehensive examination of Pure Crypter's architectural components.
  2. Introduces a specialized automation tool developed by eSentire that enables security researchers to:
    • Automate the unpacking process
    • Extract malware configurations
    • Decrypt embedded strings from Pure Crypter samples

Distribution and Pricing

Pure Crypter is marketed on hacking forums, primarily Hackforums[.]net, where the vendor 'PureCoder' sells the malware through tiered subscriptions: $159 for three months, $399 for one year, or $799 for lifetime access (Figure 1).

Figure 1 – Pure Coder’s sales thread on HackForums[.]net
Figure 1 – Pure Coder’s sales thread on HackForums[.]net

The distribution of Pure Crypter is facilitated through an automated Telegram channel, @ThePureBot. This distribution platform serves as a centralized marketplace for the broader Pure malware suite, which encompasses:

The automated system streamlines the procurement and delivery process for threat actors seeking access to these malicious tools.

Figure 2 – @ThePureBot telegram bot that facilitates distribution
Figure 2 – @ThePureBot telegram bot that facilitates distribution

Following the purchase of Pure Crypter, customers receive automated updates via @ThePureBot containing antivirus detection analytics from avcheck[.]net. This platform is preferred by crypter developers for its discrete scanning capabilities, as it does not share analyzed samples with antivirus or EDR vendors—a practice that would otherwise increase detection rates.

The dissemination of these scan results serves a dual purpose: marketing effectiveness and operational validation. The results demonstrate Pure Crypter's ability to generate "FUD" (Fully UnDetected) payloads, a critical metric for threat actors seeking to maximize successful execution rates on target systems. This capability is particularly valuable in the malware marketplace, as lower detection rates correlate directly with higher successful infection rates on victim endpoints.

Figure 3 – Scan results disseminated by @ThePureBot
Figure 3 – Scan results disseminated by @ThePureBot

Deceptive Marketing

Analysis of avcheck[.]net results, as illustrated in the figure below, indicates zero detections across AV/EDR platforms for the crypted sample. However, our research reveals significant discrepancies between these marketed results and real-world detection rates.

Through empirical testing, we uploaded multiple samples of new Pure Crypter stubs to VirusTotal for comparative analysis. The findings demonstrated that even with newly generated stubs, a minimum of 20 AV/EDR solutions successfully detected the malware.

This substantial disparity leads to two critical conclusions:

  1. The reliability of avcheck[.]net as a detection testing platform is questionable, producing results that do not align with actual detection rates.
  2. The Pure product group appears to be leveraging these misleading results in their marketing strategy, potentially deceiving customers about the crypter's effectiveness to encourage subscription renewals.
 Figure 4 – "FUD” scan results from avcheck[.]net
Figure 4 – "FUD” scan results from avcheck[.]net

Operational Security Measures

Prior to purchasing Pure Crypter, users are required to acknowledge a Terms of Service (ToS) agreement, as shown in the figure below. This ToS requirement serves a specific purpose within the operational context of Hackforums[.]net, where the explicit sale of malicious software is prohibited.

The implementation of this ToS agreement appears to be a calculated measure by PureCoder to maintain their presence on Hackforums[.]net while circumventing the platform's restrictions on malicious software distribution. This procedural formality demonstrates the vendor's attempt to establish a veneer of legitimacy, despite the tool's intended malicious purpose.

Figure 5 – Pure Crypter ToS agreement
Figure 5 – Pure Crypter ToS agreement

Pure Crypter GUI

The PureCrypter graphical user interface (GUI) can be seen in the figures below and provides an intuitive environment for payload manipulation. The interface facilitates payload loading through two primary vectors: direct file system access or URL-based retrieval.

Usage limitations are implemented through a quota system:

This quota system appears to be designed to prevent abuse while maintaining service availability for the intended userbase. The streamlined interface reduces technical barriers to entry, enabling users to conduct packing operations without extensive technical expertise.

Figure 6 – Pure Crypter Input Payload Menu
Figure 6 – Pure Crypter Input Payload Menu

As illustrated in the figure below, PureCrypter's configuration interface presents users with an extensive array of evasion and persistence options designed to enhance payload efficacy. A non-exhaustive list of some of the available features include:

These modular options enable users to implement multiple layers of defense evasion and detection avoidance techniques within the packed payload. Each feature can be selectively enabled to create customized evasion profiles based on the target environment.

Figure 7 – Pure Crypter Payload Behavior Menu
Figure 7 – Pure Crypter Payload Behavior Menu

Pure Crypter Analysis

In early stages of the unpacking process, the Pure Crypter stub loads/decrypts an assembly that handles storing of decrypted strings in the application domain cache via the AppDomain.SetData() method.

This assembly also serves to bypass dynamic string resolution by tools like SimpleAssemblyExplorer, however simply renaming the assembly in a tool like DnSpyEx and saving changes is enough to bypass this check. After the SetData() method is called, GetData() is used throughout to resolve decrypted strings via index on an as-needed basis.

Figure 8 – Check for dynamic string resolution tools, storing strings in appdomain cache
Figure 8 – Check for dynamic string resolution tools, storing strings in appdomain cache

The main method of Pure Crypter begins with decrypting, decompressing, and deserializing a byte array that contains the malware configuration as a Protobufs-serialized message. This configuration stores several booleans that determine whether or not to execute optional methods, as well as strings used throughout and encrypted/compressed payloads.

Figure 9 – Decrypt and deserialize Protobufs-based malware configuration
Figure 9 – Decrypt and deserialize Protobufs-based malware configuration

After deserializing the malware configuration, several optional methods are called, beginning with preventing multiple instances of the loader from running at the same time via mutex. The name of the mutex is specified by a string variable specified in the malware configuration.

Figure 10 – ”Single Instance” feature that uses Mutex
Figure 10 – ”Single Instance” feature that uses Mutex

The next optional method called executes several checks against virtual machines, usernames, and loaded modules.

The first uses CheckRemoteDebuggerPresent() API to determine if the process is being debugged:

Figure 11 – Check if debugger present via CheckRemoteDebuggerPresent API
Figure 11 – Check if debugger present via CheckRemoteDebuggerPresent API

The next checks if the parent process is cmd.exe (Command Prompt):

Figure 12 – Check if parent process is cmd.exe
Figure 12 – Check if parent process is cmd.exe

The next checks use WMI queries “select * from Win32_BIOS” and “select * from Win32_ComputerSystem” searching for strings matching the regular expression, “VMware|VIRTUAL|A M I|Xen”:

Figure 13 – Check if virtual machine via WMI query against Win32_BIOS class
Figure 13 – Check if virtual machine via WMI query against Win32_BIOS class
Figure 14 – Check if virtual machine via WMI query against Win32_ComputerSystem class
Figure 14 – Check if virtual machine via WMI query against Win32_ComputerSystem class

This is followed by checks against loaded modules matching “SbieDll.dll” (Sandboxie DLL), and “cuckoomon.dll” (Cuckoo Sandbox DLL):

Figure 15 – Check if Sandboxie or Cuckoo sandbox DLL loaded into process
Figure 15 – Check if Sandboxie or Cuckoo sandbox DLL loaded into process

The final check involves checking if the height/width of the monitor is 1440 x 900 or 1024 x 768 (or less) and usernames: “john”, “anna”, and “xxxxxxxx”:

Figure 16 – Screen resolution and username checks
Figure 16 – Screen resolution and username checks

The next optional method disables the internet via the LOLBin ipconfig.exe. The purpose of this method is to prevent AV/EDR from communicating with their backend, whereby uploading the sample for analysis.

Figure 17 – “Disable Internet” feature that uses ipconfig /release
Figure 17 – “Disable Internet” feature that uses ipconfig /release

The optional Execution Delay feature makes use of the Windows API SleepEx to wait for a specified number of seconds.

Figure 18 – “Execution Delay” feature that uses SleepEx API
Figure 18 – “Execution Delay” feature that uses SleepEx API

There are two options in Pure Crypter to disable AMSI:

  1. The first technique involves patching the AmsiScanBuffer API in memory with the following bytes:

    B8 57 00 07 80 C3
    Figure 19 - Instructions used in patching AmsiScanBuffer (64-bit)
    B8 57 00 07 80 C2 18 00
    Figure 20 - Instructions used in patching AmsiScanBuffer (32-bit)
    Figure 21 – AMSI bypass by patching AmsiScanBuffer
    Figure 21 – AMSI bypass by patching AmsiScanBuffer
  2. The next AMSI bypass technique involves patching the EtwEventWrite API in memory with the following bytes:

    C3
    Figure 22 - Instruction used in patching EtwEventWrite (64-bit)
    C2 14 00
    Figure 23 - Instruction used in patching EtwEventWrite (32-bit)
Figure 24 – AMSI bypass by patching EtwEventWrite
Figure 24 – AMSI bypass by patching EtwEventWrite

The next optional method is the “Dll Unhooking” feature within Pure Crypter, which serves to load “clean” copies of kernel32.dll (Windows 10 or higher) and ntdll.dll, effectively bypassing any hooks already put in place by AV/EDR.

Figure 25 – ”DLL Unhooking” feature
Figure 25 – ”DLL Unhooking” feature

The next optional method makes use of PowerShell to add an exclusion to Windows Defender, effectively causing Windows Defender to ignore the loader and/or persisted loader executable.

Figure 26 – Windows Defender exclusion via encoded PowerShell command
Figure 26 – Windows Defender exclusion via encoded PowerShell command

The next optional method supports running arbitrary PowerShell command supplied by the threat actor:

Figure 27 – "Run Powershell" feature in Pure Crypter
Figure 27 – "Run Powershell" feature in Pure Crypter

The next methods handle persistence, where persistence is achieved by writing the loader into a specified directory from the config and then setting up persistence via Run key, scheduled task, or VBScript (.vbs) in the user’s startup folder.

Junk data around 260 – 300 MB may also be applied to the file if configured. This is an optional setting but would effectively cause issues with AV/EDR as they have file size limitations on uploads to their backend.

Figure 28 – Persistence routine
Figure 28 – Persistence routine
Figure 29 – Persistence routine (continued)
Figure 29 – Persistence routine (continued)

The next optional method corresponds to the “Anti File Delete” feature in Pure Crypter. This technique involves opening a file handle with FILE_SHARE_READ permissions only and having explorer.exe receive the handle via the Windows API DuplicateHandle().

Figure 30 – “Anti File Delete” feature in Pure Crypter
Figure 30 – “Anti File Delete” feature in Pure Crypter

Pure Crypter supports three methods for executing a payload, which are described below.

  1. “Reflection” - This method supports only .NET PE files, which are loaded and invoked as shown in the figure below.

    Figure 31 – ”Reflection” injection feature in Pure Crypter
    Figure 31 – ”Reflection” injection feature in Pure Crypter
  2. “RunPE” - RunPE , also known as Process Hollowing, is a process injection technique that involves creating a process in a suspended state, unmapping the main section, overwriting it, setting thread context, and resuming the thread. This is accomplished via the Windows APIs: GetThreadContext, ReadProcessMemory, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and NtResumeThread.

    Figure 32 – ”RunPE” injection feature in Pure Crypter
    Figure 32 – ”RunPE” injection feature in Pure Crypter

    The figure below displays the logic used to determine if the victim machine is on build 26100 (24H2) or newer. This is a new addition to Pure Crypter and was added in January 2025 due to changes in Windows 24H2 that effectively prevents process hollowing.

    Figure 33 – Check if Windows 11 24H2 or newer
    Figure 33 – Check if Windows 11 24H2 or newer

    If the victim machine was in fact 24H2 or newer, the Windows API NtManageHotPatch is patched in memory for process hollowing to succeed. The bytes used in the patching process and other information about this technique are described in depth by security researcher Hasherezade in her blog post here.

    Figure 34 – Patch NtManageHotPatch
    Figure 34 – Patch NtManageHotPatch

    Parent process spoofing is handled by the method shown in the figure below, which calls the following APIs:

    • OpenProcess – Acquire handle to parent process to spoof.
    • InitializeProcThreadAttributeList – Initializes the specified list of attributes for process and thread creation.
    • UpdateProcThreadAttribute – Updates the parent process attribute.
    Figure 35 – Parent process spoofing
    Figure 35 – Parent process spoofing
  3. “Shellcode” - Shellcode is written to memory and executed via the following Windows API calls:

    • VirtualAlloc – Allocate memory for shellcode.
    • Marshall.Copy –- Write shellcode to memory.
    • VirtualProtect – Change permissions of memory to allow execution.
    • CreateThread – Create a thread to execute the shellcode.
    • WaitForSingleObject – Pause execution of current thread for INFINITE.
    Figure 36  – “Shellcode” injection technique in Pure Crypter
    Figure 36 – “Shellcode” injection technique in Pure Crypter

PureCrypterPunisher

We developed a tool known as PureCrypterPunisher to automate the process of extracting payloads, the Protobufs-based malware configuration, and string decryption/writing a new assembly that can be reversed easily. The tool is available for download here.

The figure below shows the tool’s usage instructions. Note, you will need to run other tooling first, such as .NET Reactor Slayer (un-check Decrypt Resources) and other tooling like de4dot first prior to using this tool.

Figure 37 – PureCrypterPunisher usage
Figure 37 – PureCrypterPunisher usage

An annotated sample of the Protobufs-based malware configuration values can be seen in the figure below.

Figure 38 – Dumped Protobufs-based malware configuration
Figure 38 – Dumped Protobufs-based malware configuration

What can you learn from this Malware Analysis?

How eSentire is Responding

The eSentire Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.

Recommendations from the Threat Response Unit (TRU):

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire