gurcu | 1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testpandirequests.exe
Size

167KB
MD5

2c68cf0afa3c48c737b3751ccc373cbb
SHA1

1c097af0de509aa14d52630a84e814bae06ee4d9
SHA256

1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b
SHA512

0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f
SSDEEP

3072:+KzuRoHDIL06b4vIJq4NGDisYRrmWPyvW/fHPqScSoAAdbt:+Kzqma06b4QE43HPr

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot5975822207:AAFJtzAlzLoF8RfkpKUagQJGRi0ksib6w3g/sendMessage?chat_id=1396661331

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	testpandirequests.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	testpandirequests.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	testpandirequests.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	testpandirequests.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	testpandirequests.exe

Executes dropped EXE 8 IoCs

pid	Process
3248	testpandirequests.exe
5012	tor.exe
1080	testpandirequests.exe
1044	tor.exe
3604	testpandirequests.exe
1572	tor.exe
960	testpandirequests.exe
3024	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4912	1080	WerFault.exe	97
4240	3604	WerFault.exe	109
2116	960	WerFault.exe	114

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1988	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3248	testpandirequests.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	testpandirequests.exe
Token: SeDebugPrivilege	1080	testpandirequests.exe
Token: SeDebugPrivilege	3604	testpandirequests.exe
Token: SeDebugPrivilege	960	testpandirequests.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2976	2020	testpandirequests.exe	84
PID 2020 wrote to memory of 2976	2020	testpandirequests.exe	84
PID 2976 wrote to memory of 4516	2976	cmd.exe	86
PID 2976 wrote to memory of 4516	2976	cmd.exe	86
PID 2976 wrote to memory of 2644	2976	cmd.exe	87
PID 2976 wrote to memory of 2644	2976	cmd.exe	87
PID 2976 wrote to memory of 1988	2976	cmd.exe	88
PID 2976 wrote to memory of 1988	2976	cmd.exe	88
PID 2976 wrote to memory of 3248	2976	cmd.exe	89
PID 2976 wrote to memory of 3248	2976	cmd.exe	89
PID 3248 wrote to memory of 684	3248	testpandirequests.exe	90
PID 3248 wrote to memory of 684	3248	testpandirequests.exe	90
PID 3248 wrote to memory of 5012	3248	testpandirequests.exe	92
PID 3248 wrote to memory of 5012	3248	testpandirequests.exe	92
PID 1080 wrote to memory of 1044	1080	testpandirequests.exe	99
PID 1080 wrote to memory of 1044	1080	testpandirequests.exe	99
PID 3604 wrote to memory of 1572	3604	testpandirequests.exe	110
PID 3604 wrote to memory of 1572	3604	testpandirequests.exe	110
PID 960 wrote to memory of 3024	960	testpandirequests.exe	115
PID 960 wrote to memory of 3024	960	testpandirequests.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\testpandirequests.exe
"C:\Users\Admin\AppData\Local\Temp\testpandirequests.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "testpandirequests" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\testpandirequests.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4516
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2644
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "testpandirequests" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1988
- - C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpA4A1.tmp" -C "C:\Users\Admin\AppData\Local\11gybl5ujf"
      4⤵
      PID:684
  - - C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe
      "C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\11gybl5ujf\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:5012

C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe
  "C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\11gybl5ujf\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1080 -s 1700
  2⤵
  - Program crash
  PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:3876

C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe
  "C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\11gybl5ujf\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3604 -s 1704
  2⤵
  - Program crash
  PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 3604 -ip 3604
1⤵
PID:3328

C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe
  "C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\11gybl5ujf\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 960 -s 1712
  2⤵
  - Program crash
  PID:2116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 960 -ip 960
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\11gybl5ujf\data\cached-microdesc-consensus.tmp

Filesize
2.3MB

MD5
cf90fa3a9a4f38a4bc7062852dec45ba

SHA1
0ba595a323aca695c9c57a5e0b63b879d9feabfa

SHA256
0851ef13b0a8c84cbffaacfa40442d3cd1bfb47e1114fbe74e2a42fd7a6e6131

SHA512
f77a9aaf72bf408eec09bd60d82fde0b4190cbaae2c5e74b8c577f19050a5e5063c2a0e7b78d70ee2fa63e86584a0bd8106b8d0e953bf59dc80eb1caabee410f

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\data\cached-microdescs.new

Filesize
5.2MB

MD5
1083da4678ea6c75cbfd79a13c237dbd

SHA1
acce4cbd7fb336a1ddd4c5bb8a77c660d00f72a2

SHA256
4e1685c809b2b8aef670b71ff725d7868c55cbb330662b3c7722430896d2cba7

SHA512
5374fa58bd48b8df87bd71c229549d5a81a3eae1123317cbcd8fdfcf230ac787759bfbc93860ee6816f3283f5af6763792eb77380b1233172822dcc982600960

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\host\hostname

Filesize
64B

MD5
6cafd71176ac48c3960721ba37764e2f

SHA1
19b66af2ad631cd672a765c3f789781aef64daef

SHA256
be15429dfad27e67877d95988363d5eb327a9f44650cf84c3841302c0314a2d4

SHA512
edea3d8e8dda362f83f72509ccd5ce62ef016704846997d10dfe6fe77d204466d146a94aed60046cd7bd44f032813acbebfe69b036fccc03d7000a153162dd88

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\port.dat

Filesize
4B

MD5
77305c2f862ad1d353f55bf38e5a5183

SHA1
db667c0b2e0c54430dd741993db8d4af89482889

SHA256
3b9f84399baa1776bb6ed76ff4095f29d8e8128039d2d23300a3087733cb0a4c

SHA512
3a6e84882d05211af8f6415a27ba2911067625a9b3563434648aeceadc723181da58dd891ab7ba1054fe51c9c9bbadceba14b45814c49d8be3adbb726de18c3c

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\11gybl5ujf\torrc.txt

Filesize
218B

MD5
533946a3ab82ca9ef407580dc8016b2f

SHA1
1b292bee64d97f5330101ff135cf93761d5c55e7

SHA256
7888aaa46748080c3d56d5010b176766f844dfadf1d9d1a313a742a618ec5a83

SHA512
58436f5ab7ad2fc255faf26800dfce86b4cec322ec21ac5dffb8f4e96b86c6e61f3ce0c6ba23350c7d7100568f509b2035a1576dd78c6763c28bd3e4bbfd9b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\testpandirequests.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe

Filesize
167KB

MD5
2c68cf0afa3c48c737b3751ccc373cbb

SHA1
1c097af0de509aa14d52630a84e814bae06ee4d9

SHA256
1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

SHA512
0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe

Filesize
167KB

MD5
2c68cf0afa3c48c737b3751ccc373cbb

SHA1
1c097af0de509aa14d52630a84e814bae06ee4d9

SHA256
1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

SHA512
0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe

Filesize
167KB

MD5
2c68cf0afa3c48c737b3751ccc373cbb

SHA1
1c097af0de509aa14d52630a84e814bae06ee4d9

SHA256
1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

SHA512
0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe

Filesize
167KB

MD5
2c68cf0afa3c48c737b3751ccc373cbb

SHA1
1c097af0de509aa14d52630a84e814bae06ee4d9

SHA256
1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

SHA512
0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\testpandirequests.exe

Filesize
167KB

MD5
2c68cf0afa3c48c737b3751ccc373cbb

SHA1
1c097af0de509aa14d52630a84e814bae06ee4d9

SHA256
1afecf61614136499d6fd09238fb7900582bdd0487dd4ef1782862ed5c2dd09b

SHA512
0ba449d2bac3a962bc63fdc5966849ba83f04854ab110f6409b45423abf056f2fa1fc6880924326d6fd8e8e43bc91b3395ac79c79d7d5e3c14009c8a056b0e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4A1.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/960-218-0x000001AFA1A90000-0x000001AFA1AA0000-memory.dmp

Filesize
64KB

Download
memory/960-220-0x000001AFA1A90000-0x000001AFA1AA0000-memory.dmp

Filesize
64KB

Download
memory/1080-190-0x0000027D516C0000-0x0000027D516D0000-memory.dmp

Filesize
64KB

Download
memory/1080-203-0x0000027D516C0000-0x0000027D516D0000-memory.dmp

Filesize
64KB

Download
memory/2020-133-0x000001604FB30000-0x000001604FB60000-memory.dmp

Filesize
192KB

Download
memory/3248-187-0x000001F12E930000-0x000001F12E940000-memory.dmp

Filesize
64KB

Download
memory/3248-141-0x000001F12E930000-0x000001F12E940000-memory.dmp

Filesize
64KB

Download
memory/3604-211-0x0000018F3BD90000-0x0000018F3BDA0000-memory.dmp

Filesize
64KB

Download