gurcu | fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea

Analysis

max time kernel
136s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build_4.exe
Size

165KB
MD5

547933c1a8ea0eb111e619d70ca2c657
SHA1

aca394a095c3951ace115ac621a67df1ff4d2e33
SHA256

fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
SHA512

5df1b41c5f19e304cc0758b175252c17cc6ccb1d3d91ba2f153138dfbd8e2ef3cd6efe8a136559c55952bdb43a7f206f7ba4e04674ee95363ca8409e48745c2b
SSDEEP

1536:ROwwIJbzij3pPEOGFmd8Szav8IDYFUxT1DR5jPVSBSVG41AG9wL4yXacCwPIC6Xi:RyIlz2p8Yai3GNzDeeb4FzeDGwKSHqj

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	build_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	build_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	build_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	build_4.exe

Executes dropped EXE 6 IoCs

pid	Process
3448	build_4.exe
4916	tor.exe
3816	build_4.exe
4304	tor.exe
5076	build_4.exe
4956	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2672	3816	WerFault.exe	100
3784	5076	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1052	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3448	build_4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	build_4.exe
Token: SeDebugPrivilege	3816	build_4.exe
Token: SeDebugPrivilege	5076	build_4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1424	848	build_4.exe	83
PID 848 wrote to memory of 1424	848	build_4.exe	83
PID 1424 wrote to memory of 4152	1424	cmd.exe	85
PID 1424 wrote to memory of 4152	1424	cmd.exe	85
PID 1424 wrote to memory of 5000	1424	cmd.exe	86
PID 1424 wrote to memory of 5000	1424	cmd.exe	86
PID 1424 wrote to memory of 1052	1424	cmd.exe	87
PID 1424 wrote to memory of 1052	1424	cmd.exe	87
PID 1424 wrote to memory of 3448	1424	cmd.exe	88
PID 1424 wrote to memory of 3448	1424	cmd.exe	88
PID 3448 wrote to memory of 4588	3448	build_4.exe	92
PID 3448 wrote to memory of 4588	3448	build_4.exe	92
PID 3448 wrote to memory of 4916	3448	build_4.exe	94
PID 3448 wrote to memory of 4916	3448	build_4.exe	94
PID 3816 wrote to memory of 4304	3816	build_4.exe	101
PID 3816 wrote to memory of 4304	3816	build_4.exe	101
PID 5076 wrote to memory of 4956	5076	build_4.exe	106
PID 5076 wrote to memory of 4956	5076	build_4.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\build_4.exe
"C:\Users\Admin\AppData\Local\Temp\build_4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build_4" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build_4.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4152
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5000
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "build_4" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1052
- - C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpE014.tmp" -C "C:\Users\Admin\AppData\Local\d92pmiifqt"
      4⤵
      PID:4588
  - - C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe
      "C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\d92pmiifqt\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:4916

C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe
  "C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\d92pmiifqt\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3816 -s 1624
  2⤵
  - Program crash
  PID:2672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3816 -ip 3816
1⤵
PID:1748

C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe
  "C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\d92pmiifqt\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5076 -s 1624
  2⤵
  - Program crash
  PID:3784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 5076 -ip 5076
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build_4.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe

Filesize
165KB

MD5
547933c1a8ea0eb111e619d70ca2c657

SHA1
aca394a095c3951ace115ac621a67df1ff4d2e33

SHA256
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea

SHA512
5df1b41c5f19e304cc0758b175252c17cc6ccb1d3d91ba2f153138dfbd8e2ef3cd6efe8a136559c55952bdb43a7f206f7ba4e04674ee95363ca8409e48745c2b

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe

Filesize
165KB

MD5
547933c1a8ea0eb111e619d70ca2c657

SHA1
aca394a095c3951ace115ac621a67df1ff4d2e33

SHA256
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea

SHA512
5df1b41c5f19e304cc0758b175252c17cc6ccb1d3d91ba2f153138dfbd8e2ef3cd6efe8a136559c55952bdb43a7f206f7ba4e04674ee95363ca8409e48745c2b

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe

Filesize
165KB

MD5
547933c1a8ea0eb111e619d70ca2c657

SHA1
aca394a095c3951ace115ac621a67df1ff4d2e33

SHA256
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea

SHA512
5df1b41c5f19e304cc0758b175252c17cc6ccb1d3d91ba2f153138dfbd8e2ef3cd6efe8a136559c55952bdb43a7f206f7ba4e04674ee95363ca8409e48745c2b

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build_4.exe

Filesize
165KB

MD5
547933c1a8ea0eb111e619d70ca2c657

SHA1
aca394a095c3951ace115ac621a67df1ff4d2e33

SHA256
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea

SHA512
5df1b41c5f19e304cc0758b175252c17cc6ccb1d3d91ba2f153138dfbd8e2ef3cd6efe8a136559c55952bdb43a7f206f7ba4e04674ee95363ca8409e48745c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE014.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\data\cached-microdesc-consensus.tmp

Filesize
2.3MB

MD5
75c8295f4aa15a72524f8bd7afe346ed

SHA1
9148b13288eb5fdbdf9fc305b7200c8022a693ff

SHA256
c3a82a9e74dac9c01489ce8bd7d85497ed86e1810eb0d9c7e5d7bbf4997da241

SHA512
7114c8d54893fec764474e0d90faee4deff855789d00ee4f4fb706b41aec79655b7f9004735d4f766bd2d7ee5a53995e27fa7d2d3a7b5ff48bc215b512d43e21

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\data\cached-microdescs.new

Filesize
5.5MB

MD5
3d3cf29fa867f81bad8da967185418c8

SHA1
84764f2ac92bd01ad9bc43dd5a5006ec455b2787

SHA256
eb29dcbbeb66fbe635ceeabffcea79ee97d3d8667458efbf23188bb4d245126a

SHA512
826e62fa12c2d9bf3ae5b83997a5f0617d93fc590a07fd7836355e2c20d3c45ddaae8fe42359fa20a9ce14b571fad2507d2829b5717a2be7c662a92b3ea6ffbe

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\host\hostname

Filesize
64B

MD5
58231f882936aaf3c5c1b76928709e75

SHA1
cf3788ac39b4a6eb40bfb81043c7d26c34cd48c7

SHA256
20976703dc3560684b67a579b174ef8dcb71c179ff16accc1b5db88a2daf5922

SHA512
159454d5398cfc7d6b93df30916007fe5b69fd2528fd38f530948a468e0c4b0dfbc05aa72a41007c405b29cf9a82d34a9019c9998fb749243f7990d843c9ebab

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\port.dat

Filesize
4B

MD5
68331ff0427b551b68e911eebe35233b

SHA1
7fc9231234ffeaa7228d01f1128f2312b4d17983

SHA256
6b7439e60b94dd174ab946b8c1c1885c4a3a8a068def32ebe6ab0965b752daa7

SHA512
c53ca00f8be08f25dd64ed6081f90634daa27cecd4875cc00948644055da8f87d63f39221375f3a5505761db5e5c2ddb4c8e1b1e878d6134261cd9e81717cec6

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\d92pmiifqt\torrc.txt

Filesize
218B

MD5
d713f76e9a2c928b62dde1d4dbf1f716

SHA1
64ca8191df81cfacb8decb6563efad8b93001c95

SHA256
1ef514a2f91bb8558ba310a431046b8fe0c1a232cc83fb400a7d1d55cead5ddc

SHA512
dd32b9cf3aa89d170c9a9469d5842eee0c90cd4b301bb41f785e255e52e7d1eaf77474028ffcdb6d471eaa1ce3a2d4c3faac61fb890d63cb7d880304ac165973

Download Submit
memory/848-133-0x00000240F03E0000-0x00000240F0410000-memory.dmp

Filesize
192KB

Download
memory/3448-171-0x00000187372B0000-0x00000187372C0000-memory.dmp

Filesize
64KB

Download
memory/3448-142-0x00000187372B0000-0x00000187372C0000-memory.dmp

Filesize
64KB

Download
memory/3816-208-0x0000025FB4850000-0x0000025FB4860000-memory.dmp

Filesize
64KB

Download
memory/5076-215-0x0000020D4EBC0000-0x0000020D4EBD0000-memory.dmp

Filesize
64KB

Download