Overview

overview

10

Static

static

10

testlibidrequest.exe

windows7-x64

10

testlibidrequest.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2023 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    testlibidrequest.exe

  • Size

    183KB

  • MD5

    c2302bfa2c8c29f71e98ebf44f33b9a4

  • SHA1

    2c2d10c1203a4e18fe912069ab702720239dd00f

  • SHA256

    138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

  • SHA512

    9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

  • SSDEEP

    3072:BXPyScIGLPEPYtsCUwJRuuZES9bVMO0pJLjTTC9nAk9lI6FZ/8y2FP8iKIaQnzHz:djgZES9bVP0pJLjTTC9nAk9lI6FV2Lu

Score
10/10
gurcucollectionspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6278551241:AAGQ87XJeSopFO3i5HU3dXW_vXCr-ESRByQ/sendMessage?chat_id=1396661331

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\testlibidrequest.exe
    "C:\Users\Admin\AppData\Local\Temp\testlibidrequest.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "testlibidrequest" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\testlibidrequest.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3168
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "testlibidrequest" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:1068
        • C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
          "C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:216
    • C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
      C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2468
      • C:\Windows\System32\tar.exe
        "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpD00.tmp" -C "C:\Users\Admin\AppData\Local\z2012buvf7"
        2⤵
          PID:1588
        • C:\Users\Admin\AppData\Local\z2012buvf7\tor\tor.exe
          "C:\Users\Admin\AppData\Local\z2012buvf7\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\z2012buvf7\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4448

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\testlibidrequest.exe.log
        Filesize

        847B

        MD5

        3308a84a40841fab7dfec198b3c31af7

        SHA1

        4e7ab6336c0538be5dd7da529c0265b3b6523083

        SHA256

        169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

        SHA512

        97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

        Download Submit

      • C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
        Filesize

        183KB

        MD5

        c2302bfa2c8c29f71e98ebf44f33b9a4

        SHA1

        2c2d10c1203a4e18fe912069ab702720239dd00f

        SHA256

        138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

        SHA512

        9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

        Download Submit

      • C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
        Filesize

        183KB

        MD5

        c2302bfa2c8c29f71e98ebf44f33b9a4

        SHA1

        2c2d10c1203a4e18fe912069ab702720239dd00f

        SHA256

        138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

        SHA512

        9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

        Download Submit

      • C:\Users\Admin\AppData\Local\NET.Framework\testlibidrequest.exe
        Filesize

        183KB

        MD5

        c2302bfa2c8c29f71e98ebf44f33b9a4

        SHA1

        2c2d10c1203a4e18fe912069ab702720239dd00f

        SHA256

        138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f

        SHA512

        9d0a67476039b8f26216af1c9d56c0f0e6a6d4797eab2640e2f1720d0e451ca09459e2293a0dd66f60325688cba17ad82f9b62cb3fabfb118c2f40950168b0e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpD00.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\data\cached-microdesc-consensus.tmp
        Filesize

        2.3MB

        MD5

        cf90fa3a9a4f38a4bc7062852dec45ba

        SHA1

        0ba595a323aca695c9c57a5e0b63b879d9feabfa

        SHA256

        0851ef13b0a8c84cbffaacfa40442d3cd1bfb47e1114fbe74e2a42fd7a6e6131

        SHA512

        f77a9aaf72bf408eec09bd60d82fde0b4190cbaae2c5e74b8c577f19050a5e5063c2a0e7b78d70ee2fa63e86584a0bd8106b8d0e953bf59dc80eb1caabee410f

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\data\cached-microdescs.new
        Filesize

        4.7MB

        MD5

        a969e4899519dee67f4a5d0768350fb2

        SHA1

        ecfbcfc50c0927a478772329fa9b30b39acf0454

        SHA256

        759a6cdcfd49dea3948b4b694f4e164ec3713c7ae74f5fc332e289475d1541f7

        SHA512

        10201699316559e58d5ce177ba105a32466222c39f0884aaa6d73d2ccddf2c06d9f1c5f5219a7595ee0996a7ff6944a04516d68aee6770f25b6ae49c4b7c9f58

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\host\hostname
        Filesize

        64B

        MD5

        a0815434ec20beda6b1827d9fba574f7

        SHA1

        8804bb9c7855a3579363d5a6a5e7ed3630b14a53

        SHA256

        614f6f1f0b00250244aea0ea538567582c55f7a2e7a59cd138dc08f235efd9f8

        SHA512

        b0ffbec1557d157c61322b200014d16b743205564f9909d9279366f1a08f20627c9a74243bde54d3b0e90defc317c8f8e4141761e83742f0155a97331b1b8e17

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\port.dat
        Filesize

        4B

        MD5

        73c14008d55c730e10bb9412a5be1a16

        SHA1

        185ab9ebc070b0b242472a9489383866a9255d5f

        SHA256

        3d4ba0dbe63a11bc53e7b5b5c6f0d558669989548dbe4287d8f9cea54427c58c

        SHA512

        fe37b578d1b55a815446a8789fc57446841b291d9d7a90a2f1ae24ccbd952c6ef1a0ed3da665409c118a1017816c75ed168449b8b16dd55c4c9744f0d44b7f54

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\report.lock
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\z2012buvf7\torrc.txt
        Filesize

        218B

        MD5

        2aa702ecea3480f7762a11024de22bd5

        SHA1

        41bbf7399ac1b216cf9c977bd17bc1bc6542ec31

        SHA256

        ef5408006b5b6c2cd16e2fec1a877b9259dab1d25fbe68653bd9e6d27f30122e

        SHA512

        292e295a3b2f56e7bb1c5ac8317ddea207773ba9928001f954d439aaf4778cbd07029e53728cfd1ff1013af5697bb3965989525962c303b0800b05e5926d6e29

        Download Submit

      • memory/216-144-0x00000234DCAA0000-0x00000234DCAB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/216-142-0x00000234DCAA0000-0x00000234DCAB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2468-147-0x0000022941150000-0x0000022941160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2468-190-0x0000022941150000-0x0000022941160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4248-133-0x000002540F1A0000-0x000002540F1D4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4248-136-0x0000025410EF0000-0x0000025410F00000-memory.dmp

        Filesize

        64KB

        Download