Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    testlibidrequest.exe.bin

  • Size

    183KB

  • Sample

    230505-zs9wasgh3s

  • MD5

    c2302bfa2c8c29f71e98ebf44f33b9a4

  • SHA1

    2c2d10c1203a4e18fe912069ab702720239dd00f

  • SHA256

    138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

  • SHA512

    9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

  • SSDEEP

    3072:BXPyScIGLPEPYtsCUwJRuuZES9bVMO0pJLjTTC9nAk9lI6FZ/8y2FP8iKIaQnzHz:djgZES9bVP0pJLjTTC9nAk9lI6FV2Lu

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6278551241:AAGQ87XJeSopFO3i5HU3dXW_vXCr-ESRByQ/sendMessage?chat_id=1396661331

Targets

    • Target

      testlibidrequest.exe.bin

    • Size

      183KB

    • MD5

      c2302bfa2c8c29f71e98ebf44f33b9a4

    • SHA1

      2c2d10c1203a4e18fe912069ab702720239dd00f

    • SHA256

      138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

    • SHA512

      9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

    • SSDEEP

      3072:BXPyScIGLPEPYtsCUwJRuuZES9bVMO0pJLjTTC9nAk9lI6FZ/8y2FP8iKIaQnzHz:djgZES9bVP0pJLjTTC9nAk9lI6FV2Lu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks